Edit tour

Windows Analysis Report
LisectAVT_2403002C_44.exe

Overview

General Information

Sample name:	LisectAVT_2403002C_44.exe
Analysis ID:	1481333
MD5:	2427ff6ae2a31ddb6249669ce8e470cd
SHA1:	bc54082f64c27b63ab35927b8b5b69f15518146c
SHA256:	dc3f8a774e309c5f9789137fe97d0767da4399d09d5f7d4ec3c912409aaf4417
Tags:	exe
Infos:

Detection

EICAR

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected EICAR

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to infect the boot sector

Creates HTML files with .exe extension (expired dropper behavior)

Creates a FSFilter Anti-Virus service

Drops script or batch files to the startup folder

Hooks winsocket function (used for sniffing or altering network traffic)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Query firmware table information (likely to detect VMs)

Reads the Security eventlog

Reads the System eventlog

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables driver privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Spawns drivers

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected PsExec sysinternal tool

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002C_44.exe (PID: 2440 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_44.exe" MD5: 2427FF6AE2A31DDB6249669CE8E470CD)

MSBuild.exe (PID: 7644 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

YBwX8KjTjRCKU7PVUt7ohrmo.exe (PID: 8140 cmdline: "C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

360TS_Setup.exe (PID: 4872 cmdline: "C:\Users\user\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= MD5: B56AE4EF6D244BC96CE23A140FF0411E)

360TS_Setup.exe (PID: 1548 cmdline: "C:\Program Files (x86)\1721892447_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall MD5: B56AE4EF6D244BC96CE23A140FF0411E)

r0raHcCIH1k2YsFlLn2OIQyk.exe (PID: 336 cmdline: "C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

WerFault.exe (PID: 5616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)

DD12FHVAYroWK47l2n2nUb6f.exe (PID: 1928 cmdline: "C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

WerFault.exe (PID: 4240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 976 MD5: C31336C1EFC2CCB44B4326EA793040F2)

87AZujGvMD0DS3bxBzittT7r.exe (PID: 6228 cmdline: "C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

WerFault.exe (PID: 7128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 976 MD5: C31336C1EFC2CCB44B4326EA793040F2)

vG59IrPYDLqWmCOO9Pfbpgeu.exe (PID: 6844 cmdline: "C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

WerFault.exe (PID: 5188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)

7FamwTPi2SttiX4DgdTFvBP1.exe (PID: 4132 cmdline: "C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

WerFault.exe (PID: 2548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 972 MD5: C31336C1EFC2CCB44B4326EA793040F2)

5HEEZMiEnWqR242MeEoxlGRh.exe (PID: 1252 cmdline: "C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

vjkQvA9A1258BKNJpE9OFR7r.exe (PID: 5172 cmdline: "C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe" /s MD5: CD4ACEDEFA9AB5C7DCCAC667F91CEF13)

WerFault.exe (PID: 7740 cmdline: C:\Windows\system32\WerFault.exe -u -p 2440 -s 3156 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 6604 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5860 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 4948 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 3180 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1432 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7184 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7236 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7444 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7592 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7668 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7720 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 2440 -ip 2440 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 744 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 336 -ip 336 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4268 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1928 -ip 1928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6028 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6228 -ip 6228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4864 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6844 -ip 6844 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4312 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4132 -ip 4132 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7852 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8176 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 2232 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2156 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLw9YTEqZHJtGfgAlmf6QvQQ.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qex\qex.dll	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\ramengine.dll	Gandcrab	Gandcrab Payload	kevoreilly	0xdbd00:$string1: GDCB-DECRYPT.txt
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360rp.dll	JoeSecurity_EICAR	Yara detected EICAR	Joe Security
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appd.dll	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: LisectAVT_2403002C_44.exe PID: 2440	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LisectAVT_2403002C_44.exe PID: 2440	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002C_44.exe.251659130c8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LisectAVT_2403002C_44.exe.25165915b08.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\360\Total Security\safemon\360Tray.exe" /start, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe, ProcessId: 1548, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6604, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFBhuG7x7cuyTo0UEY1FLx3F.bat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002C_44.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: LisectAVT_2403002C_44.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.8% probability

Machine Learning detection for sample

Source: LisectAVT_2403002C_44.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002C_44.exe PID: 2440, type: MEMORYSTR

Source: LisectAVT_2403002C_44.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Desktop\LisectAVT_2403002C_44.PDB source: LisectAVT_2403002C_44.exe, 00000000.00000002.1538127572.000000EFC50F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbH source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\621001\out\Release\360boxmain.pdb source: 360boxmain.exe.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\372449\out\Release\SysCleanerUI.pdb source: SysCleanerUI.exe.42.dr
Source:	Binary string: pC:\Users\user\Desktop\LisectAVT_2403002C_44.PDB source: LisectAVT_2403002C_44.exe, 00000000.00000002.1538127572.000000EFC50F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\806392\out\Release\Installer.pdb source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1500985189.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1499687327.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1501833439.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1502015815.0000000004D81000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\689163\src\3\360fsflt_sys_dbgad2_for_i18n\filter\objfre_win7_amd64\amd64\360FsFlt.pdb source: 360FsFlt_old.sys.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\55974\out\Release\360GuardBase.pdb source: 360GuardBase.dll.42.dr
Source:	Binary string: \??\C:\Users\user\Desktop\LisectAVT_2403002C_44.PDB# source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\451438\out\Release\zh-CN\CloudSec3.dll.pdb source: cloudsec3.dll.locale11.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\500965\out\Release\MenuEx.pdb source: MenuEx.dll.42.dr
Source:	Binary string: D:\Project\SafeGuardIntl\branches\SafeInt_V6.2\i18n\I18N\DsRes64\Release\zh-CN\DsRes64.pdb source: DsRes64.dll10.42.dr
Source:	Binary string: LisectAVT_2403002C_44.PDB source: LisectAVT_2403002C_44.exe, 00000000.00000002.1538127572.000000EFC50F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\435521\out\Release\360DeskAna.pdb source: 360DeskAna.exe.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\329925\out\Release\LiveUpdate360.pdb source: LiveUpdate360.exe.42.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\320146\src\q\qutmipc_obtracer_sys\hookportregchangedriver\objfre_wxp_x86\i386\qutmipc.pdb source: qutmipc_win10.sys.42.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\451442\out\Release\pt\DsRes.pdb source: DsRes.dll5.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\396552\out\Release\BootLeakFixer.pdb source: BootLeakFixer.tpi.42.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean) source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\606617\src\3\360antihacker_driver\src\objfre_win7_amd64\amd64\360AntiHacker64.pdb source: 360AntiHacker64_win10.sys.42.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\258920\out\Release\ru\UrlSettings.dll.pdb source: UrlSettings.dll.locale8.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbN source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\329925\out\Release\LiveUpdate360.pdbtK source: LiveUpdate360.exe.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\815457\out\Release\en\filemgr.dll.pdb source: filemgr.dll.locale7.42.dr

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00429BF0 FindClose,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,

21_2_00429BF0

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00428190 _memset,GetLogicalDriveStringsW,_memset,QueryDosDeviceW,

21_2_00428190

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_30926f56636b977de717efc0a33cc4ae6873153_8dafb6ee_37d64a93-2585-4cac-aad3-8809d659c484\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_r0raHcCIH1k2YsFl_8cc313ba89e65827eb2b854a8ee3edf9cb9d41d6_6c9ad7ec_5564019a-2eb2-4a14-af3e-d6e5dd0bf216\

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: oPt6fSpHRKiTT7Q1TPCGqKkO.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: V0KULW0eofKGKwAPoyk1jLfW.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: V4FGFkKnEJS9DoImGBsPPCGl.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 8gVu8gjepN333150vcek3LTo.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: K8xiKDxfY6nPxIYPlvgH1pTk.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 8qKqy9BwD3yxFKs9FPzVbbUV.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 6zadM3w0LYJNq0HAyB6c8Jvg.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: BOYLJmOSydyd3al594lj0ZHm.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 3DN5iaTYoSMvSYVEgNVq6srw.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: xW9IehxgAMH1KYhEDWTYyuAV.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Lqzz8bYqWlL5siF3Zd6Xfpqn.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: ZTC31vHrLGo214Qbz7YtQRrr.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: wZdNhoVbOYgB7TrwJAsCrFOW.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Zb7nxqblpw7TLWHsBMAvUPsl.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: DZN9HaS2r82y90oqcDIGvbua.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: AP2lZUYLVb3fOVZjIJZoJ5uo.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: z5etLqtnoYB3uq0Gp2ryNMWh.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: mtdHWyrYhqmLIpIP9DyhL8FF.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: sYAdCucIdETYwti6zduaA4uc.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: UvEg1tNw8TQgEGoMoudW4MSA.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: n5eSui7h9Sj1Nl3mxAAYFshy.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: AcH6A3N4Yq3CItbLtQF82Zf4.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: CHlvcwjKXoNvEPi7AbbOuC76.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 4WEUkBG9JpgzYkC7tR5gp4Pg.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: RYKhEanOwC6FWik4A4mJOAN8.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: duwqdISRLLAFoMl7eGQzvk19.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 9fMPr9bjofOW56waLjTgg4fo.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uvqLI8jE9ivm73yihaZdL8Gh.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: t9bICacqM5w9awp82pyv2NWK.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uERxbc5vCWNlPNYfvjfoiyga.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: valfJVofmQis2rSwBAURTfbb.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Nzvx14A6i1YARb0z8nCWnXqc.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: NPEDxjpZoYrdEERzjiUZxi6O.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: bHE9XM1pSzemxpAUTAD74htE.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 1IZVL6x1EXi1l4x68y4gFu3H.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: z6PTVReHORuE0SANRIydUy3R.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: SXah3THn9M8VoE65mbOGcxLZ.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: r6B3NzCfMBGhJGaBBWOTeOOy.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: VMlIObHT52VVzT4ZvJ2a0API.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: gfWrrNoU6cOZVXeoV8l1pMRW.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 8gHZdIpZQLlZm3sIFx1QuBpo.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: HZo5cr670ciKVqx5K7ZScfqY.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uE4ZDB1En0ie6pdAAAmn6VpC.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: vebo40yZZ14NTRA0bT2wbaOK.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 1UJq8e2U2LX06ZYWItENFs3s.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: U7C9WzWkhs72ELqs0HGle9E1.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: ZQJxXnmsk8IWrmEeNzFuMqjd.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: evpB0G9LOHcHfChKbhcE1wKr.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0tKUigrv8FZlFjBm6o7EVBkc.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 8a30HwudqUc8B2I1TPgQnnUM.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 5xh1kzRK1sY56wRtA0VfLbHM.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: uwboAo9LPiCMDGo10JP3xX6M.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: SsCm7Ag53eAdgIjMjAEokwsY.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: jeGjhHefWlrpFA9F19l2Ookm.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 0EWtjgbJif9Bin5wbnTDxdpr.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: m4PX6jHO1BAGyiLgBcjrjcWt.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: gBwXmFsqSOHvlyhYsCkYMJOA.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: 6l2OHZVq9ozMIVBLr01xSPSn.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: CXuRBddRChUEwLDDTAGzBHG0.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: jjsEbk9jQEccA6Qt56FDPpOc.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: wmjbSar71ZAYUF4cNnOUSNWf.exe.12.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: Mwty6fi4Q3FKOsbAwfVnBGdO.exe.12.dr

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.LisectAVT_2403002C_44.exe.251659130c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002C_44.exe.25165915b08.1.raw.unpack, type: UNPACKEDPE

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appd.dll, type: DROPPED

Source: svchost.exe, 00000010.00000003.1448409308.0000015C50776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000010.00000003.1499888964.0000015C50774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000010.00000003.1399313091.0000015C50755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000010.00000003.1448409308.0000015C50776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbA
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://channel.360totalsecurity.com/ins?m2=%s&v611=%s&ch=%s&sch=%s%s?%skeyref_linkPhttps://orion.ts.
Source: LisectAVT_2403002C_44.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000010.00000003.1547578522.0000015C50774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547578522.0000015C5077A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1427532948.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1427511081.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000010.00000003.1547734445.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1499514393.0000015C50708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 00000010.00000003.1446731078.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547734445.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1516843933.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1500194162.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1500116412.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1531397342.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1499853606.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1429623040.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1471050197.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547868831.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446842950.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1499514393.0000015C50708000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446761579.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485923450.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1471187079.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485751714.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1486023150.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1532475489.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1430130394.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485869905.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1429978767.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000010.00000003.1446325265.0000015C50729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000010.00000003.1448409308.0000015C50776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547788294.0000015C50786000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547578522.0000015C50774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1516297808.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1532385635.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1427532948.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1427511081.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000010.00000003.1485923450.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485869905.0000015C50707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
Source: svchost.exe, 00000010.00000003.1446731078.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547734445.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1516843933.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1500194162.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1500116412.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1531397342.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1499853606.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1429623040.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1471050197.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547868831.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446842950.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1499514393.0000015C50708000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446761579.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485923450.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1471187079.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485751714.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1486023150.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1532475489.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1430130394.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1485869905.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1429978767.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000010.00000003.1446325265.0000015C50729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000010.00000003.1446325265.0000015C50729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000010.00000003.1547578522.0000015C50774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://down.360safe.com/setup.exe
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428097824.0000000000487000.00000008.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495741557.0000000000487000.00000008.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507300556.0000000000488000.00000008.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554060682.0000000000487000.00000008.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572589859.0000000000488000.00000008.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615728423.0000000000487000.00000008.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1631033297.0000000000488000.00000008.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668986779.0000000000487000.00000008.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689485723.0000000000488000.00000008.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741271820.0000000000488000.00000008.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729488267.0000000000487000.00000008.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786649072.0000000000487000.00000008.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr, BootLeakFixer.tpi.42.dr, 360GuardBase.dll.42.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428097824.0000000000487000.00000008.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495741557.0000000000487000.00000008.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507300556.0000000000488000.00000008.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554060682.0000000000487000.00000008.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572589859.0000000000488000.00000008.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615728423.0000000000487000.00000008.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1631033297.0000000000488000.00000008.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668986779.0000000000487000.00000008.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689485723.0000000000488000.00000008.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741271820.0000000000488000.00000008.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729488267.0000000000487000.00000008.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786649072.0000000000487000.00000008.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr, 360GuardBase.dll.42.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428097824.0000000000487000.00000008.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495741557.0000000000487000.00000008.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554060682.0000000000487000.00000008.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615728423.0000000000487000.00000008.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668986779.0000000000487000.00000008.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729488267.0000000000487000.00000008.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786649072.0000000000487000.00000008.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeBUTTONBUTTONProduct32Product64
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://down.360safe.com/setupbeta.exe
Source: svchost.exe, 00000002.00000003.1234453899.000001C456850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup.exe/360-total-security/?offline=1P
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1460134591.0000000004140000.00000004.00000800.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1846696921.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1118.exe
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697702948.00000000023B0000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741512061.000000000056E000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745425565.0000000002270000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786696250.000000000056E000.00000002.00000001.01000000.00000019.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab.
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab..)
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabSE.ca
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabY0
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabar.
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabar.a
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabc.
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabh
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505252122.0000000002355000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571833274.0000000002255000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627168153.00000000022B2000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627290975.00000000022B5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688825368.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688599283.00000000023D2000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740428113.0000000002292000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740525105.0000000002295000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabini
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571441481.0000000002252000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabini1
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabini2
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505123387.0000000002352000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabiniX-
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabiniiq
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697875146.00000000023CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab-du
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab5
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab?y
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428117468.000000000056E000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508142856.000000000056E000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572935788.000000000056E000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1631437627.000000000056E000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1669011926.000000000056E000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741512061.000000000056E000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786696250.000000000056E000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabXhttp://www.360totalsecurity.c
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabboo
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabe
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabk
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabp=
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabu
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabw
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1514500363.0000000002330000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505169634.000000000234D000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1516086305.000000000234E000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505327774.000000000234E000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577705604.0000000002230000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633932242.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633792574.0000000002290000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627205903.00000000022AD000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627632367.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.G
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.T
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428117468.000000000056E000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508142856.000000000056E000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572935788.000000000056E000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1631437627.000000000056E000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1669011926.000000000056E000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741512061.000000000056E000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786696250.000000000056E000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab9http://int.down.360safe.com/
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab?
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabY
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577967137.000000000224E000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571583298.000000000224D000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571920792.000000000224E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabb
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabp=
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabpo
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabupdate
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cab
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cabGdiplus.dllGdiplusStartupGdiplusShutdownGdipCreateFromHDCGdi
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cab
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cabSoftware
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=%s&pid=%s&os=%s&mid=%s&state=%d
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=%s&pid=%s&os=%s&mid=%s&state=%d&opr_state=%xhttp://s.36
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448568992.000000000238B000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449689816.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449599585.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449492385.000000000238E000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448591698.0000000002396000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446363762.0000000002398000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449569709.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449200062.0000000002396000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445393817.0000000002395000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449711698.0000000002396000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449043614.000000000238E000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830179551.00000000022D8000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834928278.00000000022D6000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834021388.00000000022D6000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1832980492.00000000022CB000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829786149.00000000022D5000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833861603.00000000022CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=10.0&mid=d1
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/Administrators
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=%s&mod=360Installer.exe&ph=%s&p2p=1&t_id=%s&tads=%
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855390064.000000000883E000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.000000000883E000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008815000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?%%
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?%%:
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?%%_1
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?era_
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?lr=
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?ng
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?privQ
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?s=0
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://s.360safe.com/safei18n/query_env.htm?%s=%s
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833301778.00000000022CC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833154049.00000000022CC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833516971.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1832980492.00000000022CB000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833861603.00000000022CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEI%2Fchp3gABAACmjCwLXJT2BKW9WbDuCaK3D5AvEbW6%
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448568992.000000000238B000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448790828.000000000238C000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449689816.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449599585.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449492385.000000000238E000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448687205.000000000238C000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449569709.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1455681127.0000000002393000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448860757.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449043614.000000000238E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIJbMLkwABAABdkHyH3QE0w3eO%2Fi6DpvdJWeEjanGax
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://s.360totalsecurity.com/safei18n/ins.htm?mid=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=%sMainDlg7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://s.360totalsecurity.com/safei18n/ins_pb.html?mid=%s&m2=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=
Source: svchost.exe, 00000010.00000003.1427569515.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1516297808.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1532385635.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policywP
Source: svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1516297808.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1532385635.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000010.00000003.1427569515.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1399313091.0000015C50755000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
Source: svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustvP
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428117468.000000000056E000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508142856.000000000056E000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572935788.000000000056E000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1631437627.000000000056E000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1669011926.000000000056E000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741512061.000000000056E000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786696250.000000000056E000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://www.360safe.com/totalsecurity/en/101/tswin10u/d7http://www.360safe.com/totalsecurity/en/101/t
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: http://www.360totalsecurity.com
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/QHSafeTray.exe360Tray.exe%snosign.htm?f=%s&re=%s&mid=%s&v
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505454393.0000000002343000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515849627.0000000002345000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688982664.00000000023C3000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697781076.00000000023C5000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745574464.0000000002285000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740798763.0000000002283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829918670.00000000022CB000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://www.360totalsecurity.com/en/license.html
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449599585.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449492385.000000000238E000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1455625649.000000000239F000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449569709.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449666516.000000000239C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html$
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830002018.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html&
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html0
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html2
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html2aP
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449599585.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449492385.000000000238E000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1455625649.000000000239F000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449569709.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449666516.000000000239C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html4
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830002018.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html5
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html7
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html7H
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html;
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html=7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448687205.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html=W
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830002018.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlA
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlAA
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlB
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlHr
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlI
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448687205.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlKV
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449599585.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449492385.000000000238E000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1455625649.000000000239F000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449569709.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449666516.000000000239C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlR
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlS.cab
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlUV
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlZV
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmla
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577827505.0000000002245000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1572060624.0000000002243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmla#4
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505454393.0000000002343000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515849627.0000000002345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlaW
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmla_
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlarga-P
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830002018.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlc
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlde
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505201523.0000000002348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmldeG
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmler
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlf
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlgXSn
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlh
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlim
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlimU(
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505201523.0000000002348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlima
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlin
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmliv8
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlivE
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlivc
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlmex
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlml
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlmlyPKo
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448687205.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlnW
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlne
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmloWEn
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlop
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpe
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpey
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571704283.0000000002248000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpo
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505399193.0000000002349000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505201523.0000000002348000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515930204.000000000234A000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1572025710.0000000002249000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571704283.0000000002248000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577879075.000000000224A000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633898139.00000000022AA000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1628746877.00000000022A9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688923614.00000000023C9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697813786.00000000023CA000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740714177.0000000002289000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745625576.000000000228A000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpplied
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpu-
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlr
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlr)
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlr=
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlr=6
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlra
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571704283.0000000002248000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlre
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlrgat
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834718379.00000000022C8000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834528638.00000000022C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmls
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlt
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmltd
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmluP
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlup
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlup7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlv
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlx
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmly
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmly&n
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448687205.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlyW
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlys
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834847695.00000000022DC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1839826468.00000000022DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlz.
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577827505.0000000002245000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1572060624.0000000002243000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633863682.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1629073241.00000000022A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505169634.000000000234D000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1516086305.000000000234E000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505327774.000000000234E000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html$
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449599585.0000000002392000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449492385.000000000238E000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1455625649.000000000239F000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449569709.0000000002390000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449666516.000000000239C000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505169634.000000000234D000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1516086305.000000000234E000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505327774.000000000234E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html%
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833154049.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html&
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html&X
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html-V
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740462535.000000000228D000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745703760.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740558848.000000000228E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html/
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html0
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html0%%
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html0%%7
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html0%%T
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html2
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html5
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html7
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697875146.00000000023CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html8X
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505169634.000000000234D000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1516086305.000000000234E000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505327774.000000000234E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html:
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html;
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=7
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571704283.0000000002248000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=7P
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=7b(89
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834847695.00000000022DC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1839826468.00000000022DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html?/
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlA
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlE
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlF
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlGhY
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633932242.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627205903.00000000022AD000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627632367.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlJ&(9
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834847695.00000000022DC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1839826468.00000000022DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlJ/
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlK
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlKV
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740462535.000000000228D000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745703760.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740558848.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlQ
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577967137.000000000224E000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571583298.000000000224D000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571920792.000000000224E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlQ%
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740462535.000000000228D000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745703760.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740558848.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlR
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlUn
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697875146.00000000023CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlVX
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlW
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html_
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmla=r
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740462535.000000000228D000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745703760.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740558848.000000000228E000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833154049.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlb
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833154049.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlc
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697875146.00000000023CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmldY
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlde
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505454393.0000000002343000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515849627.0000000002345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmldef
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmle.
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmleminder=7
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlh
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmli
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlim
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlim?
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlimi
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlin
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlini
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmliv
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlivQ
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633932242.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627205903.00000000022AD000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627632367.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmll&
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlm
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlme
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlne
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633932242.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627205903.00000000022AD000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627632367.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlo
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlop
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlop;
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlp
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpe
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpe-
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpg
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1833154049.00000000022C9000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlq
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577967137.000000000224E000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571583298.000000000224D000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571920792.000000000224E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr$
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr=
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505201523.0000000002348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr=%
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr=K
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlrU
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlre
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlrej
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmls
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmls=
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697875146.00000000023CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmluY
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlupq
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmly
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlyG
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/o
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505201523.0000000002348000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515539628.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515930204.000000000234A000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1572025710.0000000002249000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571704283.0000000002248000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577879075.000000000224A000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002231000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633898139.00000000022AA000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1628746877.00000000022A9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688923614.00000000023C9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023B1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697813786.00000000023CA000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740714177.0000000002289000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745625576.000000000228A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577767864.0000000002241000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633827080.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html=0
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlc
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlderp
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlews=
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlime
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlope
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697739807.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlra=
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688923614.00000000023C9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023B1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697813786.00000000023CA000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740714177.0000000002289000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745625576.000000000228A000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002271000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html5
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html7
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633827080.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.htmla=7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.htmlder
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.htmler=
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745527705.0000000002281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.htmlews
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.htmlins
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.htmlo
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577767864.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002231000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633898139.00000000022AA000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1628746877.00000000022A9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688923614.00000000023C9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023B1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697813786.00000000023CA000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740714177.0000000002289000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745625576.000000000228A000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002271000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html.
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html=0
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmla=7
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlcab9
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlera
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697739807.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlews
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633827080.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745527705.0000000002281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlime
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlins
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlo
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505014675.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000003.1505201523.0000000002348000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515539628.0000000002341000.00000004.00000020.00020000.00000000.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1515930204.000000000234A000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1572025710.0000000002249000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571704283.0000000002248000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577879075.000000000224A000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002231000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633898139.00000000022AA000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1628746877.00000000022A9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688761933.00000000023C8000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688923614.00000000023C9000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023B1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697813786.00000000023CA000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740714177.0000000002289000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745625576.000000000228A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html
Source: DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577767864.0000000002241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html=7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmla=7
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmler=
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmlera
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697739807.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmlins
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmlmin
Source: 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633827080.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmlo
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1745527705.0000000002281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.htmlra=
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR
Source: svchost.exe, 00000003.00000002.1366082415.000002C2D3813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361130944.0000015C50757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1499558059.0000000003823000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498985660.000000000381E000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://chrome.google.com/webstore/detail/360-internet-protection/glcimepnljoholdmjchkloafkggfoijhht
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxcom.google.chrome.wdwedprofirefox.exeeEopennewIE.Asso
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1366434447.000002C2D3844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365040245.000002C2D3843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364950065.000002C2D385A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366782010.000002C2D3881000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1366782010.000002C2D3881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1366216352.000002C2D383F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364950065.000002C2D385A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1366135413.000002C2D382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1366216352.000002C2D383F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1366216352.000002C2D383F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1366434447.000002C2D3844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365040245.000002C2D3843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1365023586.000002C2D384A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366216352.000002C2D383F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366434447.000002C2D3844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365040245.000002C2D3843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364687308.000002C2D385E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364687308.000002C2D385E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.1366135413.000002C2D382B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1234453899.000001C4568A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000002.00000003.1234453899.000001C456850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.00000000025B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfe
Source: svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srfrf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000010.00000003.1427569515.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000010.00000003.1361237309.0000015C50727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000010.00000003.1427569515.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361237309.0000015C50727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000010.00000003.1361237309.0000015C50727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000010.00000003.1485720042.0000015C5075A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DthxNMvdXbruAUlcqvcNFbBf1CkG7V4BHIiL7xrq
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000010.00000003.1427569515.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361205149.0000015C5076B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806033
Source: svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361130944.0000015C50757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360825704.0000015C5075A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000010.00000003.1361237309.0000015C50727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	String found in binary or memory: https://orion.ts.360.com/promo/opera?ch=%s&sch=%s&ver=%s&lan=%s&os=%s&mid=%s&mver=%s&time=%I64d
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	String found in binary or memory: https://orion.ts.360.com/promo/opera?ch=%s&sch=%s&ver=%s&lan=%s&os=%s&mid=%s&mver=%s&time=%I64d/down
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.00000251658A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/xYhKBupz1https://yip.su/RNWPd.exe7https://iplogger.com/1uNwK4
Source: LisectAVT_2403002C_44.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50755000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 00000003.00000003.1365072003.000002C2D3832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtuHV
Source: svchost.exe, 00000003.00000003.1365072003.000002C2D3832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.hT
Source: svchost.exe, 00000003.00000003.1365040245.000002C2D3843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1365023586.000002C2D384A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1365023586.000002C2D384A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364758050.000002C2D385D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366135413.000002C2D382B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000003.1365072003.000002C2D3832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.akS
Source: svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ar/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ar/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ar/license/360-total-security-essential/Cu
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ar/license/360-total-security/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ar/privacy/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/experience.html
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/experience.htmlA
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1855390064.000000000887B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/license/360-total-security-essential/a
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/license/360-total-security-essential/wt
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/license/360-total-security/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/privacy/.$
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/de/privacy/rg
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/experience.html
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/experience.html60
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/360-total-security-essential/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/360-total-security/%
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/60-tot
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/es/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/es/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/es/license/360-total-security-essential/Z
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/es/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/es/privacy/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/fr/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/fr/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1855390064.000000000887B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/fr/license/360-total-security-essential/1fGB
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/fr/license/360-total-security/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/fr/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/fr/privacy/lo
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/hi/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/hi/license/360-total-security-essential/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/hi/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/hi/license/360-total-security/Iz
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/hi/privacy/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/experience.html
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/experience.htmlr
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/license/360-total-security-essential/-
Source: 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/license/360-total-security-essential/.
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855390064.000000000887B000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/license/360-total-security/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/privacy/5
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/it/privacy/y/og
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ja/experience.html
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ja/experience.htmlQ
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ja/license/360-total-security-essential/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ja/license/360-total-security/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ja/privacy/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/experience.html
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/experience.htmlG
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/experience.htmlS
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1855390064.000000000887B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/license/360-total-security-essential/&#/a
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/license/360-total-security-essential/Hpz
Source: 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/license/360-total-security-essential/r.
Source: 360TS_Setup.exe, 0000002A.00000003.1855390064.000000000887B000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/license/360-total-security/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pl/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pt/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pt/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pt/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/pt/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ru/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ru/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ru/license/360-total-security-essential/.
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ru/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/ru/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/tr/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/tr/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/tr/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/tr/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/vi/experience.html
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/vi/license/360-total-security-essential/
Source: 360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/vi/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/vi/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-TW/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-TW/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-TW/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-cn/experience.html
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-cn/license/360-total-security-essential/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-cn/license/360-total-security/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-cn/privacy/
Source: 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/zh-tw/experience.html

Source: 360hvm64_win10.sys.42.dr

Binary or memory string: __win32kstub_NtUserRegisterRawInputDevices

memstr_207fb3e6-3

E-Banking Fraud

Hooks winsocket function (used for sniffing or altering network traffic)

Source: explorer.exe

File created: function: SendInput

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsark_win10.cat	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsark64_win10.cat	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\hookport_win10.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P entropy: 7.9947868314	Jump to dropped file
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe (copy) entropy: 7.9947868314	Jump to dropped file
Source: C:\Users\user\Pictures\360TS_Setup.exe	File created: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe entropy: 7.9947868314	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\config\lang\vi\SysSweeper.ui.dat entropy: 7.99824293868	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\config\lang\ru\SysSweeper.ui.dat entropy: 7.99839511623	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\tracesweeper.dat entropy: 7.99894919458	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qex\patt.enc entropy: 7.9997422106	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qex\qex.vdb.enc entropy: 7.99954825407	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\deepscan\dsconz.dat entropy: 7.99037939907	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\deepscan\dsconz.dat entropy: 7.99016446053	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\deepscan\dsconz.dat entropy: 7.99061886443	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\deepscan\dsconz.dat entropy: 7.99002844356	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\deepscan\dsconz.dat entropy: 7.990304556	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\deepscan\dsconz.dat entropy: 7.99081120532	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\deepscan\dsconz.dat entropy: 7.99047034542	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\deepscan\dsconz.dat entropy: 7.99143900812	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\3G\LibOui.dat entropy: 7.99230870384	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\LibSDI.dat entropy: 7.99824156826	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\LibSDI.dat entropy: 7.99831702786	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\libsdi.dat entropy: 7.99837092372	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\LibSDI.dat entropy: 7.99845744515	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\LibSDI.dat entropy: 7.99812292776	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\LibSDI.dat entropy: 7.99857629006	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\LibSDI.dat entropy: 7.99844867606	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\LibSDI.dat entropy: 7.99831702786	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\libsdi.dat entropy: 7.9984763848	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\libsdi.dat entropy: 7.99854362173	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\LibSDI.dat entropy: 7.99804599993	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\LibSDI.dat entropy: 7.99825030073	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\LibSDI.dat entropy: 7.9981082256	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\LibSDI.dat entropy: 7.99820874819	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\lsv.dat entropy: 7.99696835381	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\Qshieldz.dat entropy: 7.99968069651	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\safespeedboot.dat entropy: 7.9973663814	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\deepscan\ssr.dat entropy: 7.99426302456	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\deepscan\ssr.dat entropy: 7.99365294086	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\deepscan\ssr.dat entropy: 7.99309973158	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\deepscan\ssr.dat entropy: 7.99453795618	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\ramengine.dll, type: DROPPED

Matched rule: Gandcrab Payload Author: kevoreilly

Yara detected EICAR

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360rp.dll, type: DROPPED

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_004460F0: CreateFileA,DeviceIoControl,CloseHandle,

21_2_004460F0

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

File created: C:\Windows\system32\drivers\360Camera64.sys

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

File created: C:\Windows\system32\drivers\360Camera64.sys

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360Camera64.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360AntiHacker64.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360AvFlt.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360netmon.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360Box64.sys

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCD9DB0	0_2_00007FFAACCD9DB0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCDB16D	0_2_00007FFAACCDB16D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCD34D3	0_2_00007FFAACCD34D3
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCD335E	0_2_00007FFAACCD335E
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCD3418	0_2_00007FFAACCD3418
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAAD630E29	0_2_00007FFAAD630E29
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00409950	21_2_00409950
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00434029	21_2_00434029
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_004343A0	21_2_004343A0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00428420	21_2_00428420
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_004684E5	21_2_004684E5
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00434550	21_2_00434550
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00446530	21_2_00446530
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0045A844	21_2_0045A844
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00446830	21_2_00446830
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0042EA60	21_2_0042EA60
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00468A29	21_2_00468A29
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00434B10	21_2_00434B10
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00432B90	21_2_00432B90
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0045AD19	21_2_0045AD19
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00432EB0	21_2_00432EB0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00460F4E	21_2_00460F4E
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00432FC0	21_2_00432FC0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00463069	21_2_00463069
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0044F000	21_2_0044F000
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_004530D0	21_2_004530D0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0045B0ED	21_2_0045B0ED
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00469121	21_2_00469121
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00407290	21_2_00407290
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_004313A0	21_2_004313A0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0045B4F9	21_2_0045B4F9
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00425800	21_2_00425800
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0045783A	21_2_0045783A
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_004058A0	21_2_004058A0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0045B919	21_2_0045B919
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00433A10	21_2_00433A10
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00423C30	21_2_00423C30
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00433E50	21_2_00433E50
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00467FA1	21_2_00467FA1
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00469FBE	21_2_00469FBE
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Code function: 42_3_0884F79A	42_3_0884F79A

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

Process token adjusted: Load Driver

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: String function: 004050C0 appears 43 times
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: String function: 00453DCC appears 49 times
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: String function: 04D03C15 appears 36 times
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: String function: 04D03BDF appears 444 times
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: String function: 04D03BA9 appears 78 times
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: String function: 04D03B76 appears 1563 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2440 -ip 2440

Source: 6Se9cfVvgkgQ1LiWk4azwLiz.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: PNRovpjvuoTBDQWgmW6Dxpeu.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: PQ7InkkMnF4WgBpnrK0fM12d.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: hnKZFCj5oe7DMZMOnuhsEUAF.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: JbCzziprwhxu952EEGGM4kyy.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 7TZg7zlWDNnbBmFYTmmvpQh2.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: p0TVeG7PgzSYUEgCbGq9rvc9.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 3pU7us2lCosxu8OuPe4BpnIe.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: Qhn5Cs4iUiQe1fOLh3QZma5T.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 0lzVim7riCB1upr1FUP8xSQR.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: iaqDCrpk7XgTBT3Gv3tL3MhD.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: nlajzL0nJsjGBoOzsEHar6xN.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: YiBUNoJoPIhAtYOnilMSPvZS.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: eXYG01pvaO43Gh2ID1P8KBeF.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: OwwOgzkPQh7uMioCPDE28dVh.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: tsPDoXjJ5QDVbxpQe7Ldx9O5.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: PT6Mx7KioNvzBAtCL7QX2GXq.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: S3AafgsV3ndWpGK20WkoNgGW.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: U3Oa50HVWGsdPmyCniC9yFFX.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: Qs8gKU4lVOLm6RixkxRfa4V2.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 36dsvh9ycgNnqmR2ByFaAF5L.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: UVfMqDwGoGEvVkVybkeC8QrI.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 8M7DUF3xBSx8QcSLemrdjOdg.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 5HEEZMiEnWqR242MeEoxlGRh.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: yE7noGQXNcOT5zohTTwqK6bF.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 4ZZwfXAuJ072C1VqOfz1A4ih.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: UDhWZlM2m146SXcde4F56BRT.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: tAqt9uSHmrF7Z3H2xvM1lxwA.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 6HbUFGG6OprNlIY5JlVhXXii.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: nPpyxVDuMw96yZmSf6gQ2TqY.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: Et3mnRfmuPQFakro2oc74eeS.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 6Yd84thjPkhRBN2b6a5H1jnf.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: CUxLCA8x4ghROFTMPdaQB3M5.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 2tcX737WHyo5lwEvmctv51Vv.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: DD12FHVAYroWK47l2n2nUb6f.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: UIgbZOdyaVSQ6RYQSEeprj5d.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 87AZujGvMD0DS3bxBzittT7r.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: fw2TOiWzGo1NrFLSXdW9IHtr.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: vG59IrPYDLqWmCOO9Pfbpgeu.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: pkUUm3iviYyjVuVwVzn44HrC.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 7FamwTPi2SttiX4DgdTFvBP1.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: Ij1WDhMqibF1B2QU9vGntIlT.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: XlgZgJ2LJW81kHOYIHPmyxJ5.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: cuOUlQ9A7hneJRyyE6akV0sd.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: kqmEb6pkblBuU3ikfPK4qcR5.exe.12.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression

Source: LisectAVT_2403002C_44.exe

Static PE information: No import functions for PE file found

Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539479297.00000251001C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameItutemoJ vs LisectAVT_2403002C_44.exe
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.00000251658A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs LisectAVT_2403002C_44.exe
Source: LisectAVT_2403002C_44.exe, 00000000.00000000.1228009358.0000025163B9C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePayaret.exe0 vs LisectAVT_2403002C_44.exe
Source: LisectAVT_2403002C_44.exe	Binary or memory string: OriginalFilenamePayaret.exe0 vs LisectAVT_2403002C_44.exe

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\BAPIDRV

Source: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\ramengine.dll, type: DROPPED

Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: LisectAVT_2403002C_44.exe, ModeCancellationPending.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\Afd
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\360IPFilter
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\IP
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: HTTP://PsGetProcessPeb\Device\360Hvm
Source: qutmipc_win10.sys.42.dr	Binary string: \Driver\NDProxy\Driver\AfdSeExportsmspfilejsefilevbefilevbsfilecplfilewshfilewsffileregfilemsifilejsfilehtafilescrfilecomfilescffilepiffilebatfilecmdfilelnkfileexefile.msp.jse.vbe.vbs.cpl.wsh.wsf.reg.msi.js.hta.scr.com.scf.pif.bat.cmd.lnk.exe_Classes\RtlFormatCurrentUserKeyPath\Device\Mup\\Device\LanmanRedirector\24L
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\360SelfProtection
Source: 360boxmain.exe.42.dr	Binary string: K`XD%machinename%%UserProfile%\Documents and Settings\\Local Settings\Temp\*\Documents and Settings\\Local Settings\Temporary Internet Files\*\Documents and Settings\\Cookies\\AppData\Local\Temp\\AppData\Roaming\Microsoft\Windows\Cookies\*.wmv.rmvb.rm.mpg.mp4.mov.mkv.flv.avi.3gp.wma.ra.mp3.ogg.mka.m4a.ac3.aac.xlsx.xls.pptx.ppt.txt.pdf.docx.doc..CacheSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders360SANDBOX\SHADOW360sandbox\filelist_page.xml::{26EE0668-A00A-44D7-9371-BEB064C98683}IDS_MEDIA_LIST_DESCIDS_DOCUMENT_LIST_DESCIDS_DELETE_PROMPT_MSGPreferred DropEffectIDS_COPY_PRMPT360SandBox\Shadow360SANDBOX\SHADOW\IDS_UPPER_FOLDERIDS_DATE_TIME_FMT%Y-%m-%d %H:%MC:\sxin.dllsxin64.dllSxWrapper.dllWINDOWS\SXIn.dllIDS_CRITICAL_FILE_PROMPT_MSG\Device\FloppyX
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\Nsi
Source: 360FsFlt_old.sys.42.dr	Binary string: c:\vmagent_new\bin\joblist\689163\src\3\360fsflt_sys_dbgad2_for_i18n\ad\aklrules.cwin32k.sysW32pServiceTableW32pServiceLimit\Device\XBS @I %08x @P %s @I %08x @C %s @P %s @I %08x @C %smsi.dll\SystemRoot\System32\msiexec.exePsGetThreadId-EmbeddingClipboardDataObjectInterfaceMTAClipboardRootDataObjectInterfaceClipboardDataObjectInterfaceObGetObjectType\Sessions\1\Windows\ApiPort\Windows\ApiPortSymbolicLinkValue /update /as /enable /update /as /enable /as\MSASCui.exe -wdenable\MpCmdRun.exeunknown processc:\vmagent_new\bin\joblist\689163\src\3\360fsflt_sys_dbgad2_for_i18n\ad\adrules.c[SendForkProcessMessageToClient]Driver Send Fork Process!!!
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: Version\Device\360AntiHacker
Source: 360FsFlt_old.sys.42.dr	Binary string: \Device\Srv2
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\360SelfProtectionUSER PUT POST HELOHEAD GET EHLODELETE
Source: 360FsFlt_old.sys.42.dr	Binary string: (S\Device\Mup\\Device\LanmanRedirector\LocalHost.LocalHost127.0.0.124x
Source: qutmipc_win10.sys.42.dr	Binary string: \DosDevices\exploitcap\Device\exploitcap\Device\qutmipc\DosDevices\qutmipcPsGetProcessSessionIdIoQueryFileDosDeviceNamePsGetProcessPebPsGetCurrentProcessSessionIdExReleaseRundownProtectionExAcquireRundownProtection\FileSystem\qutmdrv\FileSystem\Filters\qutmdrvPsGetProcessImageFileNameObGetObjectType\Registry\Machine\System\-Embedding\Device\360SelfProtectionSystem\Device\360HookPortMmCopyVirtualMemoryshell32.dll\REGISTRY\MACHINE\{26CEAE5B-627C-4ed6-9E96-2A2F0E93A13C}\10002\REGISTRY\MACHINE\{26CEAE5B-627C-4ed6-9E96-2A2F0E93A13C}\10001PsReferenceProcessFilePointerSYSTEMunknown processsystem
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\360NsiFilter
Source: 360FsFlt_old.sys.42.dr	Binary string: \Device\MountPointManager
Source: 360hvm64_win10.sys.42.dr	Binary string: \Device\360Hvm
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: \Device\360TdiFilter
Source: 360AntiHacker64_win10.sys.42.dr	Binary string: 360 AntiHacker Flow Establish%s<c=%d><a=%d><mid=%s><m2=%s><product=ipc><combo=kernel><v=1><b=%s><c=%d>\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry\Machine\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce360safeuninst<a=except_exit><d=%d><e=%04u%02u%02u %02u:%02u:%02u>FwpmFilterDeleteById0FwpsFlowRemoveContext0FwpsFlowAssociateContext0FwpmTransactionAbort0FwpsCalloutUnregisterById0FwpmFilterAdd0FwpmCalloutAdd0FwpsCalloutRegister0FwpmProviderDestroyEnumHandle0FwpmProviderDeleteByKey0FwpmProviderEnum0FwpmProviderCreateEnumHandle0FwpmSubLayerDestroyEnumHandle0FwpmSubLayerDeleteByKey0FwpmSubLayerEnum0FwpmSubLayerCreateEnumHandle0FwpmCalloutDestroyEnumHandle0FwpmCalloutDeleteByKey0FwpmCalloutEnum0FwpmCalloutCreateEnumHandle0FwpmFilterDeleteByKey0FwpmFilterEnum0FwpmFilterDestroyEnumHandle0FwpmFilterCreateEnumHandle0FwpmTransactionCommit0FwpmTransactionBegin0FwpmEngineClose0FwpmEngineOpen0FwpmFreeMemory0FWPKCLNT.sysWskReleaseProviderNPIWskCaptureProviderNPIWskDeregisterWskRegisterNETIO.sys\Device\UdpTransportAddress316b91494d610d5492487f01RSDS

Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.rans.bank.troj.expl.evad.winEXE@134/1278@0/31

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00428300 _memset,__wsplitpath,GetDiskFreeSpaceExW,

21_2_00428300

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_0044AAD0 GetTickCount,CreateToolhelp32Snapshot,_memset,Process32FirstW,_memset,Process32NextW,CloseHandle,

21_2_0044AAD0

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00409950 FindResourceW,LoadResource,SizeofResource,FreeResource,_memset,LockResource,FreeResource,

21_2_00409950

Source: C:\Users\user\Pictures\360TS_Setup.exe

File created: C:\Program Files (x86)\1721892447_0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\9fMPr9bjofOW56waLjTgg4fo.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6028:64:WilError_03
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 336
Source: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 4132
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4268:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1928
Source: C:\Users\user\Pictures\360TS_Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 4872
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess336
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 8140
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 1548
Source: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 1928
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:744:64:WilError_03
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Mutant created: NULL
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\Q360SafeI18NInstaller
Source: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 6228
Source: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 6844
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4864:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4132
Source: C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 5172
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360SafeInstallerMutex
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 1252
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2440
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4312:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6228
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6844

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ff64d64a-c1e8-4eeb-b88a-ffbd0c566fbe

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat" "

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: /runonce	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: /runonce	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: open	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: pkg	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: \GG	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: show	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: clientid	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_TITLE	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: chs	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_TITLE	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_TITLE	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_TITLE	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: ini_url_default	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_QUIT	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_URL_ERROR	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: IDS_TITLE	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: /tswin10	21_2_004036F0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Command line argument: /tsewin10	21_2_004036F0

Source: LisectAVT_2403002C_44.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002C_44.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002C_44.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe "C:\Users\user\Desktop\LisectAVT_2403002C_44.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2440 -ip 2440
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2440 -s 3156
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe "C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe" /s
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe "C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe" /s
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 336 -ip 336
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe "C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe" /s
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1928 -ip 1928
Source: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe "C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe" /s
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6228 -ip 6228
Source: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe "C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe" /s
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6844 -ip 6844
Source: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 984
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe "C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe" /s
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process created: C:\Users\user\Pictures\360TS_Setup.exe "C:\Users\user\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4132 -ip 4132
Source: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe "C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe" /s
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLw9YTEqZHJtGfgAlmf6QvQQ.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\360TS_Setup.exe	Process created: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe "C:\Program Files (x86)\1721892447_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe "C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe" /s
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe "C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe "C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe "C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe "C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe "C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe "C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe "C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe "C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2440 -ip 2440
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2440 -s 3156
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 336 -ip 336
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 984
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1928 -ip 1928
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 976
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6228 -ip 6228
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 976
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6844 -ip 6844
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 984
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4132 -ip 4132
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 972
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process created: C:\Users\user\Pictures\360TS_Setup.exe "C:\Users\user\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\360TS_Setup.exe	Process created: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe "C:\Program Files (x86)\1721892447_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: secur32.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: authz.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: rasman.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Section loaded: cryptsp.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe

File written: C:\Users\user\AppData\Local\Temp\!@t65A5.tmp.dir\setup.ini

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot

Source: LisectAVT_2403002C_44.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002C_44.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002C_44.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Desktop\LisectAVT_2403002C_44.PDB source: LisectAVT_2403002C_44.exe, 00000000.00000002.1538127572.000000EFC50F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbH source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\621001\out\Release\360boxmain.pdb source: 360boxmain.exe.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\372449\out\Release\SysCleanerUI.pdb source: SysCleanerUI.exe.42.dr
Source:	Binary string: pC:\Users\user\Desktop\LisectAVT_2403002C_44.PDB source: LisectAVT_2403002C_44.exe, 00000000.00000002.1538127572.000000EFC50F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\806392\out\Release\Installer.pdb source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1500985189.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1499687327.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1501833439.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1502015815.0000000004D81000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\689163\src\3\360fsflt_sys_dbgad2_for_i18n\filter\objfre_win7_amd64\amd64\360FsFlt.pdb source: 360FsFlt_old.sys.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\55974\out\Release\360GuardBase.pdb source: 360GuardBase.dll.42.dr
Source:	Binary string: \??\C:\Users\user\Desktop\LisectAVT_2403002C_44.PDB# source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\451438\out\Release\zh-CN\CloudSec3.dll.pdb source: cloudsec3.dll.locale11.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\500965\out\Release\MenuEx.pdb source: MenuEx.dll.42.dr
Source:	Binary string: D:\Project\SafeGuardIntl\branches\SafeInt_V6.2\i18n\I18N\DsRes64\Release\zh-CN\DsRes64.pdb source: DsRes64.dll10.42.dr
Source:	Binary string: LisectAVT_2403002C_44.PDB source: LisectAVT_2403002C_44.exe, 00000000.00000002.1538127572.000000EFC50F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\435521\out\Release\360DeskAna.pdb source: 360DeskAna.exe.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\329925\out\Release\LiveUpdate360.pdb source: LiveUpdate360.exe.42.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\320146\src\q\qutmipc_obtracer_sys\hookportregchangedriver\objfre_wxp_x86\i386\qutmipc.pdb source: qutmipc_win10.sys.42.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\451442\out\Release\pt\DsRes.pdb source: DsRes.dll5.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\396552\out\Release\BootLeakFixer.pdb source: BootLeakFixer.tpi.42.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean) source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.0000000002561000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1831668320.00000000025BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\606617\src\3\360antihacker_driver\src\objfre_win7_amd64\amd64\360AntiHacker64.pdb source: 360AntiHacker64_win10.sys.42.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.0000025100240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\258920\out\Release\ru\UrlSettings.dll.pdb source: UrlSettings.dll.locale8.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbN source: LisectAVT_2403002C_44.exe, 00000000.00000002.1539643258.00000251003B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\329925\out\Release\LiveUpdate360.pdbtK source: LiveUpdate360.exe.42.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\815457\out\Release\en\filemgr.dll.pdb source: filemgr.dll.locale7.42.dr

Source: LisectAVT_2403002C_44.exe

Static PE information: 0xC245A31E [Thu Apr 13 21:14:06 2073 UTC]

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_004643D4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

21_2_004643D4

Source: LisectAVT_2403002C_44.exe

Static PE information: real checksum: 0x65472 should be: 0x6547b

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCD752B push ebx; iretd	0_2_00007FFAACCD756A
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCD7963 push ebx; retf	0_2_00007FFAACCD796A
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAACCE0B7C pushfd ; iretd	0_2_00007FFAACCE0BB4
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Code function: 0_2_00007FFAAD63026B push esp; retf 4810h	0_2_00007FFAAD630312
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CCCC44 push esp; retf	18_3_04CCCC49
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CCCC44 push esp; retf	18_3_04CCCC49
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CCCC44 push esp; retf	18_3_04CCCC49
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CCCC44 push esp; retf	18_3_04CCCC49
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFB69E push ecx; ret	18_3_04CFB71B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC615 push edx; ret	18_3_04CFC616
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Code function: 18_3_04CFC846 push 01A437B9h; ret	18_3_04CFC84B

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	21_2_0044E2B0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	21_2_0044E440
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	21_2_0044DEF0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	21_2_00445FF9
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: _malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	21_2_00445F90

Creates a FSFilter Anti-Virus service

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\Instances\360SDInstance Altitude

Installs new ROOT certificates

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 Blob
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 Blob
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 Blob
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Blob
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 Blob

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360Camera64.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360AntiHacker64.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360AvFlt.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360netmon.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Windows\system32\drivers\360Box64.sys

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\7TZg7zlWDNnbBmFYTmmvpQh2.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\360KPBase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsark64_old.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\y2xlfwgZYtLHYanrRQ8JSWVl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UIgbZOdyaVSQ6RYQSEeprj5d.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360P2SP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\commonbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsark64.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\JbCzziprwhxu952EEGGM4kyy.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360base64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\TEngine.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetBase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\svcMonitor.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\somkernl.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\PromoUtil.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\Utils\360ScreenCapture.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360ScreenCapture.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\AntiAdwa.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\SxWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360netbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk64_win10.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\36dsvh9ycgNnqmR2ByFaAF5L.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\fw2TOiWzGo1NrFLSXdW9IHtr.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\deepscan\DsRes.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DownloadMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360Util64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\iaqDCrpk7XgTBT3Gv3tL3MhD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\kqmEb6pkblBuU3ikfPK4qcR5.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\qutmipc_win10.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tOjl1xMHwPniA98wveB6sp5S.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360Quarant.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\modules\KB931125-rootsupd.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\spsafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\VWallet.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\360KP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\Utils\360searchlite.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\2tcX737WHyo5lwEvmctv51Vv.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LargeFileFinder.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SimpleIME.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\OwwOgzkPQh7uMioCPDE28dVh.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\chrome\360webshield.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SiteUIProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\ScriptExecute.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Ij1WDhMqibF1B2QU9vGntIlT.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WDRecord.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHWatchdog.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\360netctrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\DrvUtility.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SpeedUp.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHToasts.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\EaInstHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DriverUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360GuardBase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360SkinView.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\AVCheck.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\QdK9qeDGACGo9zbnCRy3mj3u.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\7z.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Camera64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360compro.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\eXYG01pvaO43Gh2ID1P8KBeF.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360scovec64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\yhregd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk.dll	Jump to dropped file
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File created: C:\Users\user\AppData\Local\Temp\{72EED8BA-9242-4de1-9063-4C81F09A6B03}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\CleanHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\FeedBack.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\scanproxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\Qhn5Cs4iUiQe1fOLh3QZma5T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	File created: C:\Users\user\AppData\Local\Temp\{BF2BE5E6-902C-4720-A988-382B5CE16F33}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\SDPlugin\AdPopWnd.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\CUxLCA8x4ghROFTMPdaQB3M5.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WDSafeDown.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\wdui2.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\3G\3GIdentify.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\menuex64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appdext.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360elam.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\SysSweeper.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHAccount.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\4ZZwfXAuJ072C1VqOfz1A4ih.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\sites.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360net.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SomAdvUtilsWrap.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\SXIn64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLProxy64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\nICxaxPOAPjSog9aqauyJ12l.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UVfMqDwGoGEvVkVybkeC8QrI.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\sweeper\360FastFind.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WDPayPro.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\ReuFdz5VW3kSYWFmIhNeNe2A.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360FsFlt_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\urlproc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\PopWndTracker.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360rp.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360procmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\wdui3.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SelfProtection_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\6Se9cfVvgkgQ1LiWk4azwLiz.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\WhiteCache.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetBase64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLCore.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\hookport.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\PQ7InkkMnF4WgBpnrK0fM12d.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box64_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\SXIn.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\qutmipc.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Base64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Users\user\Pictures\360TS_Setup.exe	File created: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\50\360netmon_50.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\atTmWMexfjDNHZsj4eS3cFWa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\szkqjw57V0nOs0wQUlJUUsLd.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Dumpuper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DuplicateFile.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\EfiMon.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WscReg.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\3pU7us2lCosxu8OuPe4BpnIe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\nlajzL0nJsjGBoOzsEHar6xN.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360avflt64_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LeakFixHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\DumpUper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\PatchUp.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360FsFlt_win10.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\tsPDoXjJ5QDVbxpQe7Ldx9O5.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLLauncher.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Qs8gKU4lVOLm6RixkxRfa4V2.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CrashReport.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\stx.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360WifiProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\N4T8qP0zIsmhNbok9EeYkn9g.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHSafeScanner.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHSafeTray.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\rmt.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SelfProtection.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360Opt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360Util.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Camera.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\360FastFind.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\sysfilerepS.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\DesktopPlus64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qutmdrv_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\QVM\360AQVM.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360zipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DrvInst64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Util64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TsLiveUpd.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\swverify64.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\S3AafgsV3ndWpGK20WkoNgGW.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DSFScan.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHActiveDefense.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ToolBox.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TSCommon.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\yE7noGQXNcOT5zohTTwqK6bF.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\cuOUlQ9A7hneJRyyE6akV0sd.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\NetworkMon.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\AVEI.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\AntiTrack64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\C5Kjr9aaz6hDS52NkOqq8y55.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Base.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\tAqt9uSHmrF7Z3H2xvM1lxwA.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Verify.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\wfp\360netmon_x64_wfp.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\DesktopPlus.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\hookport_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\chromesafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360hipsPopWnd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SomAdvUtils.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsmain.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360QuarantPlugin.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\Cloudsec3.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SafeCamera.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360Tray.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\TrashClean.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\PopTip.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360SoftMgrS.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360Connect.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\CheckSM.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\0CtLUUWAoHtcou0zdP0CzCUj.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SoftMgrLite.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\x64\360netmon_x64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Repair.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\UvKXEQwl3D7YytLyF1DjkOvH.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\scanstub.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\AntiCe.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360AV.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SysCleanerUI.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\Antiadwa.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\UDhWZlM2m146SXcde4F56BRT.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\cloudcom2.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\HomeRouterMgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe (copy)	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SysCleaner.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\Antiadwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Sites64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Util.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\ModuleUpdate.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\p0TVeG7PgzSYUEgCbGq9rvc9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\6Yd84thjPkhRBN2b6a5H1jnf.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SPTool.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPI.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DrvmgrCore.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\SomProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt_win10.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\hnKZFCj5oe7DMZMOnuhsEUAF.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\X64For32Lib.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LiveUpdate360.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qutmdrv.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\8M7DUF3xBSx8QcSLemrdjOdg.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\scanbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360base.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\pkUUm3iviYyjVuVwVzn44HrC.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLLauncher64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CombineExt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360ShellPro.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\EaInstHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360realpro.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360avflt64.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\nPpyxVDuMw96yZmSf6gQ2TqY.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Conf.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV64_old.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\PNRovpjvuoTBDQWgmW6Dxpeu.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360elam64.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\0lzVim7riCB1upr1FUP8xSQR.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sites.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\AntiTrack.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHFileSmasher.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\BrowseringProtection.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\MedalWall.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\wfp\360netmon_wfp.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\BYMTdmumqdQRWdqfOhAEZ4m7.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\deepscan\DsRes.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\QVM\360QVM.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\DailyNews.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\SelfProtectAPI2.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\dlproc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\XlgZgJ2LJW81kHOYIHPmyxJ5.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm64_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\AVEngine.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\60\360netmon_60.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\swverify32.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\6HbUFGG6OprNlIY5JlVhXXii.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\YiBUNoJoPIhAtYOnilMSPvZS.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\360GameIdentify.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\sites64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Et3mnRfmuPQFakro2oc74eeS.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\U3Oa50HVWGsdPmyCniC9yFFX.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\sysoptm.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetUL.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\spsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\PowerSaver.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360calaInt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TSCommon64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\chromesafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360bsmon.tpi	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\aniaYFsW0PlkrlJ2YcSQ1uDn.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\CheckSM.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\UDiskScanEngine.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\menuex.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\cef\cefutil.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\PT6Mx7KioNvzBAtCL7QX2GXq.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\CQhCltHttpW.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\TraceClean.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360FsFlt.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\PopWndLog.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\Tracehelper.exe	Jump to dropped file
Source: C:\Users\user\Pictures\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\1721892447_00000000_base\360base.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHSafeMain.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Camera_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Camera64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360scovec.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360safemonpro.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\CondrvFix.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\sbx.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360searchlite.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\spsafe64.dll.locale	Jump to dropped file

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\menuex.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon64.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\DumpUper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360Util.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360ScreenCapture.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360Util64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360base.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360netbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360base64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\menuex64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\sites.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\sweeper\360FastFind.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360searchlite.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\360TotalSecurity\DesktopPlus\sites64.dll	Jump to dropped file

Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\Antiadwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\Antiadwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360AV.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360bsmon.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360Connect.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SafeCamera.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360safemonpro.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360UDisk.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\AdPopBlocker.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\BootLeakFixer.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\DiagScanTips.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\DsTpi.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\FilePrivacy.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\gamemode.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\netmon.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\qutmvd.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\Safemon64.dll.locale	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	21_2_0044E2B0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	21_2_0044E440
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	21_2_0044DEF0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	21_2_00445FF9
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: _malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	21_2_00445F90

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7pCdXa3VPPixXDeiDERuIUe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vYH2GBgutbYFV7StmqrF392h.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qbbFZA8KUyY320BJKYkkQtYc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftfiPBwwMqNVVJZnn7PZ42oW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQK5jhKLuMPM67O36bjRAtlp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sM0pd9IgVzsfjezNSbt2hR8c.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pZxmHLS4YUZppdDnCbM54TVk.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pWYyEAMmGvRdSQiFkMbPsyKA.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SlrtBJJYXextedHC5RRXtqjD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCM79EJDWoOaU28j3sM2Lwwo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sHRAIShzlUtV2Ej2KkHQUTd8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FEvbcWeHlUCQ6wJiJ7Ty3YrK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ipxaLwijnNCaFbKHMVglZ1Gv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ByP6u97qxNfZ81fsarYDva02.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHnfZZZd2SrSzViwEQo8A2Zo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TmtCXHeFfNXnhKof0nPqXoXk.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FdEAiaBtdTb53bxGipyuLeHz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IcfW3XsxniNtxPUg3uti8t4y.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mc7dNCewwnFtbMeKarYV0nyt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jqBjaEhJsWFWAYj7GXVx0xrr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrFSwTlmj7ddrNdTdahgfOKX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZsZOFxiSwOteG3HE4X7AykQ3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PmY9HZ56zikoreGGsiW4JI8R.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5wRhfRBk6MCDZeJ0qEjmfyeG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fYK2NbmAGi9Pg4SG2aLRfRmI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h9wamzhzzhwACA9Mtcf07wz6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFBhuG7x7cuyTo0UEY1FLx3F.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jThuXZ4voJcJhbCjFEaBHzHv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssx35u7TOA2nPAp0L1L3IKsf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0hV0gAK22xvEtgvyKQ5yOs5n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvIKtqidl2guUPBHjxVUFQtv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZaKd5MYji3kAyTfvu5KO5wp5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vnAGf0bQ9J14q0sRMygGsW8l.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FVQRuTSzJTtHAXSQWwQCLvZY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLw9YTEqZHJtGfgAlmf6QvQQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lKmPsTV4YA7CYpmS0qsQItFO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kGFe11FaCHj8Cq6LEsxAKO9Q.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sksCZf6BD8bmyHJVUY7BoElf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kV5jXmTcsMiETlF8iRGxyKFt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3zFuzRgWu8nsIZVxdNWJ2gln.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Sw8mVAoATaNcrREXaxGRBLH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n16Ul2pmsPZpymsRFsDrzjOF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezskEwZPmKODwzVBTltwetRT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l2UL1f1VQQ9TgewgTJp5cafq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjY51tWJaahZmfQU8rSeUhVQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lf37LKjOy1F8yH9htI5go57b.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2dZXHu4mBuz0k7K0hcQByrTC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YmyYC9ZIZqInZy9lU02lfnot.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xvy9mj0sqpawGMMbF7MUoN4G.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ca6YBXJj4xO3yMydtaSpZbg2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sBSPGXFVGr9XmZ4KnrA6cgvt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDlV6JCqkaaMXdj2ilRXIwiB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QaR7JQApk4Gm5USjcAqonvDp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BEyHr3bfAnMOq3irAN86EVFJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M1OuzBuysJJ6kE8KobZHawCS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7GHKGgWXYpBu6ujvkCqrAqEk.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X4AeTFkWxvvr0UutH23jyajK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVygIk5xltJ26qO7i4Ttg3dw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p4mun4rwQavBk6vXf7mLPsDM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYU4aYQGSewAU8NRdpVSLYs1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9zZvqHeESRzOOvzVhqrk9jbq.bat	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFBhuG7x7cuyTo0UEY1FLx3F.bat

Jump to behavior

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360AntiHacker

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFBhuG7x7cuyTo0UEY1FLx3F.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jThuXZ4voJcJhbCjFEaBHzHv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vnAGf0bQ9J14q0sRMygGsW8l.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLw9YTEqZHJtGfgAlmf6QvQQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lKmPsTV4YA7CYpmS0qsQItFO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kGFe11FaCHj8Cq6LEsxAKO9Q.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sksCZf6BD8bmyHJVUY7BoElf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kV5jXmTcsMiETlF8iRGxyKFt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Sw8mVAoATaNcrREXaxGRBLH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n16Ul2pmsPZpymsRFsDrzjOF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezskEwZPmKODwzVBTltwetRT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l2UL1f1VQQ9TgewgTJp5cafq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PmY9HZ56zikoreGGsiW4JI8R.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fYK2NbmAGi9Pg4SG2aLRfRmI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h9wamzhzzhwACA9Mtcf07wz6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0hV0gAK22xvEtgvyKQ5yOs5n.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvIKtqidl2guUPBHjxVUFQtv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZaKd5MYji3kAyTfvu5KO5wp5.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FVQRuTSzJTtHAXSQWwQCLvZY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3zFuzRgWu8nsIZVxdNWJ2gln.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssx35u7TOA2nPAp0L1L3IKsf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZsZOFxiSwOteG3HE4X7AykQ3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5wRhfRBk6MCDZeJ0qEjmfyeG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vYH2GBgutbYFV7StmqrF392h.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qbbFZA8KUyY320BJKYkkQtYc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQK5jhKLuMPM67O36bjRAtlp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftfiPBwwMqNVVJZnn7PZ42oW.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SlrtBJJYXextedHC5RRXtqjD.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pWYyEAMmGvRdSQiFkMbPsyKA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pZxmHLS4YUZppdDnCbM54TVk.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sM0pd9IgVzsfjezNSbt2hR8c.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ipxaLwijnNCaFbKHMVglZ1Gv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FEvbcWeHlUCQ6wJiJ7Ty3YrK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sHRAIShzlUtV2Ej2KkHQUTd8.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCM79EJDWoOaU28j3sM2Lwwo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TmtCXHeFfNXnhKof0nPqXoXk.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHnfZZZd2SrSzViwEQo8A2Zo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ByP6u97qxNfZ81fsarYDva02.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jqBjaEhJsWFWAYj7GXVx0xrr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mc7dNCewwnFtbMeKarYV0nyt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IcfW3XsxniNtxPUg3uti8t4y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FdEAiaBtdTb53bxGipyuLeHz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrFSwTlmj7ddrNdTdahgfOKX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lf37LKjOy1F8yH9htI5go57b.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjY51tWJaahZmfQU8rSeUhVQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2dZXHu4mBuz0k7K0hcQByrTC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xvy9mj0sqpawGMMbF7MUoN4G.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YmyYC9ZIZqInZy9lU02lfnot.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sBSPGXFVGr9XmZ4KnrA6cgvt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ca6YBXJj4xO3yMydtaSpZbg2.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QaR7JQApk4Gm5USjcAqonvDp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDlV6JCqkaaMXdj2ilRXIwiB.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BEyHr3bfAnMOq3irAN86EVFJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVygIk5xltJ26qO7i4Ttg3dw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X4AeTFkWxvvr0UutH23jyajK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7GHKGgWXYpBu6ujvkCqrAqEk.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M1OuzBuysJJ6kE8KobZHawCS.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AYU4aYQGSewAU8NRdpVSLYs1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p4mun4rwQavBk6vXf7mLPsDM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9zZvqHeESRzOOvzVhqrk9jbq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7pCdXa3VPPixXDeiDERuIUe.bat	Jump to behavior
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\360 Security Center
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\360 Total Security.lnk
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\360 Total Security.lnk
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Sandbox.lnk
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Sandbox.lnk
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Patch Up.lnk
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Patch Up.lnk

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run QHSafeTray
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run QHSafeTray

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: SendInput new code: 0xE9 0x9B 0xBB 0xBB 0xB6 0x64

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: LisectAVT_2403002C_44.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qex\qex.dll, type: DROPPED

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory allocated: 25163EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory allocated: 2517D8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5080000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDesc
Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599069	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598076	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595225	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594125	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2526			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7288			Jump to behavior

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\360KPBase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsark64_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360P2SP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\commonbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsark64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360netcfg.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360base64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\libzdtp.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\TEngine.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360AdvToolExecutor.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetBase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\svcMonitor.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\somkernl.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\PromoUtil.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\Utils\360ScreenCapture.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360ScreenCapture.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\AntiAdwa.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\libzdtp64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\SxWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360netbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\RemoteTrashInterface.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\FilePrivacy.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DownloadMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360Util64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\qutmipc_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\deepscan.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360Quarant.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\modules\KB931125-rootsupd.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360PrivacyGuard.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\spsafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360UDisk.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\VWallet.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\360KP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\Utils\360searchlite.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360AntiTrack.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LargeFileFinder.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SimpleIME.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18ngi.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\chrome\360webshield.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SiteUIProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\ScriptExecute.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WDRecord.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360boxld64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHWatchdog.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\DrvUtility.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\360netctrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SpeedUp.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHToasts.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\qutmvd.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\EaInstHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DriverUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360SkinView.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360GuardBase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\AVCheck.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\EfiProc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\7z.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\I18N64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\netmon.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Camera64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360compro.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360scovec64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\yhregd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk.dll	Jump to dropped file
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{72EED8BA-9242-4de1-9063-4C81F09A6B03}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\CleanHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\FeedBack.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\scanproxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{BF2BE5E6-902C-4720-A988-382B5CE16F33}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon64.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\SDPlugin\AdPopWnd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WDSafeDown.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\PopSoftEng.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\wdui2.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\3G\3GIdentify.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appdext.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\menuex64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\DsTpi.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsSysRepair.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360elam.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\SysSweeper.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHAccount.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\MiniUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360net.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\BootLeakFixer.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SomAdvUtilsWrap.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLProxy64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\SXIn64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\sweeper\360FastFind.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\ramengine.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WDPayPro.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360FsFlt_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\disproc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\PopWndTracker.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\urlproc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360InstantSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360rp.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360procmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SelfProtection_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\wdui3.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360DeskAna.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\WhiteCache.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetBase64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\hookport.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLCore.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\FsrMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box64_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\SXIn.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\qutmipc.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\FastAnimation.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Base64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\iNetSafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\50\360netmon_50.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Dumpuper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\gamemode.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DuplicateFile.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\dynlenv.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\EfiMon.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\WscReg.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CrashReport64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LeakFixHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360avflt64_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\DumpUper.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\PatchUp.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360FsFlt_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\modules\360PatchMgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLLauncher.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\AdPopBlocker.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CrashReport.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\ImAVEng.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\stx.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\UrlSettings.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360WifiProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360boxmain.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\FileMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHSafeScanner.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHSafeTray.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\rmt.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\cef\2623\libcef.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV_old.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360Opt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SelfProtection.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360Util.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\360FastFind.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Camera.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\sysfilerepS.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\DesktopPlus64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qutmdrv_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\QVM\360AQVM.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\lockkrnl.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360zipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360hvm64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\jcloudscan.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LiveUpd360.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DrvInst64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Util64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TsLiveUpd.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\Netgm.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\NetworkMonUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\dynlbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\swverify64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DSFScan.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\MenuEx64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\heavygate.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\I18N.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\QHActiveDefense.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ToolBox.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TSCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360Box_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\NetworkMon.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360DeskAna64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\AVE\AVEI.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\AntiTrack64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Base.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Verify.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\wfp\360netmon_x64_wfp.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\DesktopPlus\DesktopPlus.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qex\PHPEX.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\hookport_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\chromesafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360hipsPopWnd.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\PDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SomAdvUtils.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\yhregd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\modules\360EvtMgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\dsmain.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\360QuarantPlugin.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Central.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\Cloudsec3.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SafeCamera.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360Tray.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LeakFixHelper64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\sweeper\TrashClean.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\PopTip.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\360SoftMgrS.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360Connect.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\spsafe64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\modules\360PatchMgr64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\CheckSM.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SoftMgrLite.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\DsArk_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\netmon\netdrv\x64\360netmon_x64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Repair.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\scanstub.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360AV.tpi	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\AntiCe.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360boxld.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360disproc64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SysCleanerUI.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\Sxin64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\Antiadwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\cloudcom2.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\UDiskScanEngine.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\HomeRouterMgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\deepscan\DsRes64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\chrome\360webshield.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\safemon\360SPTool.exe.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\appd.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\SysCleaner.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\360AntiHacker64_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\Antiadwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Sites64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\Safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Util.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\ModuleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360SPTool.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Utils\360DrvMgr\DrvmgrCore.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPI.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt_win10.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\SomProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\X64For32Lib.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LiveUpdate360.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\qutmdrv.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\scanbase.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\deepscan\cloudsec3.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\AntiAdwa.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\ProgramData\360TotalSecurity\DesktopPlus\360base.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\Sxin.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\safemon\webprotection_firefox\plugins\nptswp.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\SML\SMLLauncher64.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\safemon\SelfProtectAPI2.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\filemgr.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\safemon\spsafe.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\safemon\Safemon64.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CombineExt.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\safemon\safemon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\NetDefender.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360ShellPro.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\QHVer.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\softmgr\EaInstHelper64.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\safemon\360realpro.exe	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360avflt64.sys	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\safemon\360procmon.dll.locale	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Conf.dll	Jump to dropped file
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\deepscan\BAPIDRV64_old.sys	Jump to dropped file

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_21-46916
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_21-47447

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

API coverage: 5.3 %

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

Registry key enumerated: More than 132 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\System32\svchost.exe TID: 720	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 720	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7820	Thread sleep count: 2526 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7820	Thread sleep count: 7288 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599423s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -599069s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598731s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598295s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -598076s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597840s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595826s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595605s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595355s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595225s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7648	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7896	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00429BF0 FindClose,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,

21_2_00429BF0

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00428190 _memset,GetLogicalDriveStringsW,_memset,QueryDosDeviceW,

21_2_00428190

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599069	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598076	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595225	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594125	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_30926f56636b977de717efc0a33cc4ae6873153_8dafb6ee_37d64a93-2585-4cac-aad3-8809d659c484\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_r0raHcCIH1k2YsFl_8cc313ba89e65827eb2b854a8ee3edf9cb9d41d6_6c9ad7ec_5564019a-2eb2-4a14-af3e-d6e5dd0bf216\

Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447405023.00000000025BC000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447668964.00000000025BC000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1447547012.00000000025BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: LisectAVT_2403002C_44.exe, 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: svchost.exe, 00000008.00000003.1399474319.00000245F1010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

API call chain: ExitProcess graph end node

graph_21-47449

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\AVLib.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr7.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\DataDriv.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\ptype.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr9.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Program Files (x86)\360\Total Security\filemon\AVLib.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\360AvFlt.dll
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-TW\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr1.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\zh-CN\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr6.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\fr\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Program Files (x86)\360\Total Security\filemon\360AvFlt64_win10.sys
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\es\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr5.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\vi\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\de\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pt\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ja\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr4.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\tr\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\en\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\ru\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\pl\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\it\ipc\regmon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\filemon\fr8.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\filemon.dat
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	File opened: C:\Users\user~1\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\i18n\hi\ipc\regmon.dat

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe	Process queried: DebugPort

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00458457 __getptd,LdrInitializeThunk,__amsg_exit,__lock,InterlockedDecrement,InterlockedIncrement,

21_2_00458457

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_004500E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

21_2_004500E9

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00447E70 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

21_2_00447E70

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

21_2_004643D4

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00447B00 GetCurrentProcessId,CreateMutexW,GetLastError,WaitForSingleObject,GetProcessHeap,HeapAlloc,__CxxThrowException@8,__CxxThrowException@8,ReleaseMutex,CloseHandle,

21_2_00447B00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process token adjusted: Debug

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_004500E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_004500E9
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0046080C SetUnhandledExceptionFilter,	21_2_0046080C
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_00452E9E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00452E9E
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0044D324 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0044D324
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: 21_2_0044FBBA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0044FBBA

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Section unmapped: unknown base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E08008	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe "C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe "C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe "C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe "C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe "C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe "C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe "C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe "C:\Users\user\Pictures\vjkQvA9A1258BKNJpE9OFR7r.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2440 -ip 2440
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2440 -s 3156
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 336 -ip 336
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 984
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1928 -ip 1928
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 976
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6228 -ip 6228
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 976
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6844 -ip 6844
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 984
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4132 -ip 4132
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 972
Source: C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe	Process created: C:\Users\user\Pictures\360TS_Setup.exe "C:\Users\user\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
Source: C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Process created: unknown unknown

Source: C:\Users\user\Pictures\360TS_Setup.exe	Process created: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe "c:\program files (x86)\1721892447_0\360ts_setup.exe" /c:ww.marketator.cpi20230405 /pmode:2 /s /promo:eyjib290dgltzsi6ijcilcjtzwrhbci6ijcilcjuzxdzijoimcisim9wzxjhijoinyisim9wzxjhx2lucyi6ijailcjwb3b1cci6ijcilcjyzw1pbmrlcii6ijcilcj1cgdyywrlx25vdyi6ijaifqo= /tsinstall
Source: C:\Users\user\Pictures\360TS_Setup.exe	Process created: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe "c:\program files (x86)\1721892447_0\360ts_setup.exe" /c:ww.marketator.cpi20230405 /pmode:2 /s /promo:eyjib290dgltzsi6ijcilcjtzwrhbci6ijcilcjuzxdzijoimcisim9wzxjhijoinyisim9wzxjhx2lucyi6ijailcjwb3b1cci6ijcilcjyzw1pbmrlcii6ijcilcj1cgdyywrlx25vdyi6ijaifqo= /tsinstall

Source: 360FsFlt_old.sys.42.dr	Binary or memory string: Shell_TrayWndDV2ControlHostEdit
Source: 360DeskAna.exe.42.dr	Binary or memory string: QueryFullProcessImageNameW"%s" "%s"IsWow64ProcessWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection%programfiles%%commonprogramfiles% (x86)lspscan\syswow64\\system32\\windows\syswow64\Program managerProgmanExplorerExt.dllLoadLibraryWKernel32buffer too largeROOT\CIMV2CreateWin32_ProcessCommandLineReturnValueProcessId..\safemon\BrowserFix.dllShowLockHomePageDlg..\360Base.dll/se1"" /se2/sex1/sex2ieoptionuninstalluiqueryicon360DTAievolumelockhomepage3264lspfix/func=netmoncheckT
Source: 360FsFlt_old.sys.42.dr	Binary or memory string: R#32770ButtonEditComboBoxEx32QHSafeTray.exewdpaypro.exeComboBoxEx32ReBarWindow32SysListView32FolderViewCabinetWClassProgmanWorkerWExploreWClassToolbarWindow32csrss.exe

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_0044EA60 cpuid

21_2_0044EA60

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	21_2_0045A4EF
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	21_2_0045A617
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	21_2_0045A0FA
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	21_2_0045A211
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	21_2_0045A2A9
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	21_2_0045A31D
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	21_2_0045A5B0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	21_2_0045A653
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	21_2_0046473F
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	21_2_004549E1
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: GetLocaleInfoA,	21_2_00462BAC
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	21_2_004593E0
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	21_2_0045D825
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	21_2_00459A4E
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	21_2_00459CA6
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	21_2_00465D67
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	21_2_00465D33
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	21_2_00465EA6
Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe	Code function: GetLocaleInfoA,	21_2_00455FBD

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AdoNetDiag.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\alink.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_rc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrcompression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CORPerfMonExt.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Culture.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfdll.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\FileTracker.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtilLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ISymWrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Activities.Build.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Activities.Build\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Activities.Build.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Conversion.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Engine\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Utilities.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Data.Entity.Build.Tasks.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Internal.Tasks.Dataflow.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\Microsoft.Internal.Tasks.Dataflow.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Transactions.Bridge.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Transactions.Bridge.Dtc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Compatibility.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Compatibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualC.Dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualC.STLCLR.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\v4.0_2.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ApplicationServer.Applications\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Windows.ApplicationServer.Applications.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpe.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentasklauncher.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounter.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\peverify.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SbsNclPerf.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelEvents.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelInstallRC.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceMonikerSupport.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sysglobl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl\v4.0_4.0.0.0__b03f5f7f11d50a3a\sysglobl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.Core.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Core.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Core.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.DurableInstancing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.Contract\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.AppContext.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Collections.Concurrent.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.Concurrent.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Collections.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Collections.NonGeneric.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.NonGeneric\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.NonGeneric.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Collections.Specialized.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Specialized\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.Specialized.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.Annotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Annotations\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.Annotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.Composition.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.EventBasedAsync.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.EventBasedAsync\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.EventBasedAsync.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.TypeConverter.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.TypeConverter\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.TypeConverter.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Console.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Console\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Console.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Common\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Data.Common.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Entity.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Services.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Services.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Services.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Device.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Contracts\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Contracts.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.Debug.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Debug\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Debug.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Process\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Process.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.StackTrace\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.StackTrace.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.TextWriterTraceListener.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TextWriterTraceListener\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.TextWriterTraceListener.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.Tools.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tools.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.TraceSource.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.TraceSource.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.Tracing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tracing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.Protocols\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Dynamic.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.Thunk.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Globalization.Calendars.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Globalization.Calendars.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Globalization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Globalization.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.Selectors.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.Selectors\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.Services.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.Services\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.Services.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.ZipFile\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.ZipFile.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.FileSystem.DriveInfo.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem.DriveInfo\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.FileSystem.DriveInfo.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.FileSystem.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.FileSystem.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.FileSystem.Watcher.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem.Watcher\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.FileSystem.Watcher.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.IsolatedStorage.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.IsolatedStorage\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.IsolatedStorage.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.Log.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Log\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.MemoryMappedFiles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.Pipes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.UnmanagedMemoryStream\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.UnmanagedMemoryStream.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Linq.Expressions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Parallel\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Parallel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Queryable\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Queryable.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Management.Instrumentation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Instrumentation\v4.0_4.0.0.0__b77a5c561934e089\System.Management.Instrumentation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Messaging.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.Rtc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.Rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.Rtc.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.WebRequest.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.NetworkInformation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.NetworkInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.NetworkInformation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Ping.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Ping\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Ping.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Requests\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Requests.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Sockets.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Sockets\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Sockets.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.WebHeaderCollection.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.WebHeaderCollection\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.WebHeaderCollection.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.WebSockets.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.WebSockets.Client\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.WebSockets.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.WebSockets.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.WebSockets\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.WebSockets.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Numerics.Vectors.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.Vectors\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Numerics.Vectors.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ObjectModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ObjectModel\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ObjectModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.context.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Context\v4.0_4.0.0.0__b77a5c561934e089\System.Reflection.context.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.Emit.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.Emit.ILGeneration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.Emit.Lightweight.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Emit.Lightweight\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.Emit.Lightweight.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Reader.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.Reader\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Resources.Reader.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.ResourceManager.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Writer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.Writer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Resources.Writer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Caching.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.CompilerServices.VisualC.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.CompilerServices.VisualC.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.DurableInstancing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\System.Runtime.DurableInstancing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Handles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Handles\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Handles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Numerics\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Json\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Xml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Xml\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Xml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.WindowsRuntime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.WindowsRuntime.UI.Xaml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.UI.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.UI.Xaml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Claims.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Claims\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Claims.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Algorithms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Algorithms\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.Algorithms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Csp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Csp\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.Csp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Encoding.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.Encoding.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.X509Certificates.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.X509Certificates\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.X509Certificates.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.SecureString\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.SecureString.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Activation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Activation.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Channels.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Channels\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Channels.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Discovery.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Duplex.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Duplex\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Duplex.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Http.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.NetTcp\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.NetTcp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Primitives.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Routing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Routing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.ServiceMoniker40.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.ServiceMoniker40\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.ServiceMoniker40.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.WasHosting\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.Encoding.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Text.Encoding.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.Encoding.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Overlapped\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Overlapped.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Tasks.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Tasks.Parallel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks.Parallel\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.Parallel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Thread.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Thread\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Thread.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.ThreadPool.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.ThreadPool\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.ThreadPool.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Timer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Timer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Timer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ValueTuple.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Abstractions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Abstractions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Abstractions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.ApplicationServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.ApplicationServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.ApplicationServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DataVisualization.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DataVisualization.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DataVisualization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DynamicData.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Entity.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Entity.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Web.Entity.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Extensions.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Mobile.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Routing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Services\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.DataVisualization.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.WorkflowServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices\v4.0_4.0.0.0__31bf3856ad364e35\System.WorkflowServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xaml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xaml.Hosting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting\v4.0_4.0.0.0__31bf3856ad364e35\System.Xaml.Hosting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.ReaderWriter\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.ReaderWriter.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.Serialization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XDocument.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XmlDocument.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XmlDocument\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XmlDocument.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XmlSerializer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XmlSerializer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XmlSerializer.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XPath.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XPath.XDocument.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath.XDocument\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.XDocument.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\TLBREF.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WMINet_Utils.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\XamlBuildTask.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XamlBuildTask.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\XsdBuildTask.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XsdBuildTask.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_00450247 GetSystemTimeAsFileTime,__aulldiv,

21_2_00450247

Source: C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe

Code function: 21_2_0044AA70 _memset,GetVersionExW,

21_2_0044AA70

Source: C:\Users\user\Desktop\LisectAVT_2403002C_44.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{FFDC234A-CE9B-08F9-406B-F876951CE066} GUID

Jump to behavior

Source: SysCleanerUI.exe.42.dr	Binary or memory string: D@B@Kernel32.dllAddDllDirectoryCreateObject360Base.dllPathSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
Source: qutmipc_win10.sys.42.dr	Binary or memory string: kxetray.exe
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, qutmipc_win10.sys.42.dr	Binary or memory string: 360safe.exe
Source: BootLeakFixer.tpi.42.dr	Binary or memory string: System32\ntoskrnl.exeSysNative\ntoskrnl.exeRtlGetVersionopenSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697528678.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Paths\360safe.exe
Source: qutmipc_win10.sys.42.dr	Binary or memory string: ksafetray.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{FFDC234A-CE9B-08F9-406B-F876951CE066}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{FFDC234A-CE9B-08F9-406B-F876951CE066}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{FFDC234A-CE9B-08F9-406B-F876951CE066}"
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : Select * from AntiVirusProduct
Source: C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	WMI Queries: IWbemServices::ExecQuery - root\securitycenter : Select * from AntiVirusProduct

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\ipc\appd.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	1 Windows Management Instrumentation	11 Scripting	2 LSASS Driver	111 Disable or Modify Tools	1 Network Sniffing	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	2 LSASS Driver	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Credential API Hooking	5 File and Directory Discovery	Remote Desktop Protocol	11 Credential API Hooking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 DLL Side-Loading	3 Windows Service	2 Obfuscated Files or Information	11 Input Capture	1 Network Sniffing	SMB/Windows Admin Shares	11 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Command and Scripting Interpreter	3 Windows Service	412 Process Injection	1 Install Root Certificate	NTDS	58 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	291 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Rootkit	DCSync	171 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Masquerading	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	171 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	412 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
LisectAVT_2403002C_44.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
LisectAVT_2403002C_44.exe	100%	Avira	TR/Redcap.apttc
LisectAVT_2403002C_44.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\1721892447_0\360TS_Setup.exe	5%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna64.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360Util.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360Util64.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360base.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360base64.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360netbase.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\360tscommon64.dll (copy)	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\DumpUper.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360ScreenCapture.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\Utils\360searchlite.exe	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\crashreport64.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\menuex.dll	4%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\menuex64.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\sites.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\sites64.dll	0%	ReversingLabs
C:\ProgramData\360TotalSecurity\DesktopPlus\sweeper\360FastFind.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\0lzVim7riCB1upr1FUP8xSQR.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\2tcX737WHyo5lwEvmctv51Vv.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\36dsvh9ycgNnqmR2ByFaAF5L.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\3pU7us2lCosxu8OuPe4BpnIe.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\4ZZwfXAuJ072C1VqOfz1A4ih.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\6Se9cfVvgkgQ1LiWk4azwLiz.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\7TZg7zlWDNnbBmFYTmmvpQh2.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\BYMTdmumqdQRWdqfOhAEZ4m7.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\C5Kjr9aaz6hDS52NkOqq8y55.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\CUxLCA8x4ghROFTMPdaQB3M5.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Et3mnRfmuPQFakro2oc74eeS.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Ij1WDhMqibF1B2QU9vGntIlT.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\N4T8qP0zIsmhNbok9EeYkn9g.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\OwwOgzkPQh7uMioCPDE28dVh.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\PT6Mx7KioNvzBAtCL7QX2GXq.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Qs8gKU4lVOLm6RixkxRfa4V2.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1721892447_00000000_base\360base.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Base.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Base64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Central.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Common.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Conf.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360DeskAna.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360DeskAna64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetBase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetBase64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360NetUL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360P2SP.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360ShellPro.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360SkinView.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TSCommon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TSCommon64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360TsLiveUpd.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Util.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Util64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360Verify.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\360net.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\3G\3GIdentify.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\AntiAdwa.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\AntiCe.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\BrowseringProtection.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CombineExt.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CrashReport.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\CrashReport64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\DailyNews.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\Dumpuper.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\EfiMon.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\EfiProc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\FastAnimation.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\FeedBack.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\HomeRouterMgr.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\I18N.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\I18N64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LargeFileFinder.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\360_install_20240725032741_5379609\temp_files\LeakFixHelper.dll	0%	ReversingLabs

Name	Source	Malicious
http://www.360totalsecurity.com/en/privacy.htmliv	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/zh-cn/privacy/	360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmlyW	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1448687205.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlJ/	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834847695.00000000022DC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1839826468.00000000022DF000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlin	87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlivQ	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.html0%%	r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1574034706.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1632310558.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmlmex	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmlys	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://Passport.NET/tbA	svchost.exe, 00000010.00000003.1448409308.0000015C50776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlpe-	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmll&	87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633932242.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627205903.00000000022AD000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627632367.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/tr/privacy/	360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabY	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabb	DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577967137.000000000224E000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571583298.000000000224D000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571219705.0000000002241000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1571920792.000000000224E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/zh-cn/license/360-total-security-essential/	360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlim	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1366216352.000002C2D383F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364950065.000002C2D385A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	false
http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428097824.0000000000487000.00000008.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495741557.0000000000487000.00000008.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507300556.0000000000488000.00000008.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554060682.0000000000487000.00000008.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572589859.0000000000488000.00000008.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615728423.0000000000487000.00000008.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1631033297.0000000000488000.00000008.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668986779.0000000000487000.00000008.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689485723.0000000000488000.00000008.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741271820.0000000000488000.00000008.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729488267.0000000000487000.00000008.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786649072.0000000000487000.00000008.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr, 360GuardBase.dll.42.dr	false
http://www.360totalsecurity.com/en/license.html7H	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/de/license/360-total-security/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmlz.	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834407043.00000000022CE000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834617239.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834847695.00000000022DC000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1839826468.00000000022DF000.00000004.00000020.00020000.00000000.sdmp	false
http://down.360safe.com/setupbeta.exe	r0raHcCIH1k2YsFlLn2OIQyk.exe	false
http://www.360totalsecurity.com/en/privacy.html&X	7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	false
http://s.360safe.com/safei18n/query_env.htm?%s=%s	r0raHcCIH1k2YsFlLn2OIQyk.exe	false
http://www.360totalsecurity.com/en/privacy.htmlJ&(9	87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633932242.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627205903.00000000022AD000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627632367.00000000022AE000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	false
http://s.360totalsecurity.com/safei18n/ins.htm?mid=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=%sMainDlg7	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabSE.ca	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000000.1428070059.0000000000471000.00000002.00000001.01000000.0000000D.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000000.1495710361.0000000000471000.00000002.00000001.01000000.00000012.sdmp, r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1507002111.0000000000471000.00000002.00000001.01000000.00000012.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000000.1554016071.0000000000471000.00000002.00000001.01000000.00000013.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1572473034.0000000000471000.00000002.00000001.01000000.00000013.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000000.1615615416.0000000000471000.00000002.00000001.01000000.00000015.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1630769787.0000000000471000.00000002.00000001.01000000.00000015.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1689360314.0000000000471000.00000002.00000001.01000000.00000016.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000000.1668954536.0000000000471000.00000002.00000001.01000000.00000016.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1741171716.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000000.1729446292.0000000000471000.00000002.00000001.01000000.00000017.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000000.1786575405.0000000000471000.00000002.00000001.01000000.00000019.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	false
http://www.360totalsecurity.com/zh-tw/license.htmlews	vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697739807.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/zh-tw/license.htmlcab9	r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlrej	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://s.360safe.com/safei18n/ins_err.htm?privQ	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	false
http://s.360safe.com/safei18n/ins_err.htm?ng	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.t	svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364687308.000002C2D385E000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.akS	svchost.exe, 00000003.00000003.1365072003.000002C2D3832000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/vi/privacy/	360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmlUV	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446133157.0000000002389000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/09/policywP	svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/de/privacy/.$	360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/zh-cn/license.htmlra=	vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697739807.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, vjkQvA9A1258BKNJpE9OFR7r.exe.12.dr	false
https://chrome.google.com/webstore/detail/360-internet-protection/glcimepnljoholdmjchkloafkggfoijhht	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1499558059.0000000003823000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498985660.000000000381E000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	false
http://down.360safe.com/setup.exe	r0raHcCIH1k2YsFlLn2OIQyk.exe	false
https://www.360totalsecurity.com/ar/license/360-total-security/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/zh-cn/privacy.htmla=7	87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633827080.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/zh-tw/license.htmlera	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/zh-cn/license.htmlime	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/ar/privacy/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000003.00000003.1365055968.000002C2D3857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366611630.000002C2D3858000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	svchost.exe, 00000010.00000003.1360803971.0000015C50710000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabw	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/tr/license/360-total-security/	360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	svchost.exe, 00000010.00000003.1361104580.0000015C5073B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361168117.0000015C50763000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabu	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830717930.00000000022A4000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmlup	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445267785.0000000002365000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446798919.0000000002364000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444895850.0000000002362000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabk	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1826765473.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/it/license/360-total-security-essential/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabe	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/en/license/360-total-security/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.html=7b(89	87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627249205.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1627074041.00000000022A1000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtuHV	svchost.exe, 00000003.00000003.1365072003.000002C2D3832000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/hi/license/360-total-security/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmluP	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/pl/privacy/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 00000010.00000003.1448409308.0000015C50776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547788294.0000015C50786000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547578522.0000015C50774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1516297808.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1532385635.0000015C5070F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1427532948.0000015C5070E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1427511081.0000015C50707000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabh	r0raHcCIH1k2YsFlLn2OIQyk.exe, 00000015.00000002.1508591553.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab..)	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829485288.00000000022A5000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabupdate	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1830855153.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829612545.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmltd	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1834112875.0000000002291000.00000004.00000020.00020000.00000000.sdmp	false
https://signup.live.com/signup.aspx	svchost.exe, 00000010.00000003.1361147575.0000015C50740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50755000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360710020.0000015C5072C000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlupq	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1361447426.0000015C50756000.00000004.00000020.00020000.00000000.sdmp	false
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/ja/license/360-total-security/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://channel.360totalsecurity.com/ins?m2=%s&v611=%s&ch=%s&sch=%s%s?%skeyref_linkPhttps://orion.ts.	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498433469.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1498956493.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1497138389.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 00000024.00000000.1739500796.0000000000410000.00000002.00000001.01000000.00000018.sdmp, 360TS_Setup.exe, 0000002A.00000000.1816279110.00000000004D0000.00000002.00000001.01000000.0000001A.sdmp	false
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/de/privacy/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA	svchost.exe, 00000010.00000003.1446325265.0000015C50729000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/pt/license/360-total-security-essential/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000003.00000002.1366782010.000002C2D3881000.00000004.00000020.00020000.00000000.sdmp	false
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab?	5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1828743881.0000000002291000.00000004.00000020.00020000.00000000.sdmp, 5HEEZMiEnWqR242MeEoxlGRh.exe, 00000027.00000003.1829021477.00000000022A2000.00000004.00000020.00020000.00000000.sdmp	false
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 00000010.00000003.1360710020.0000015C50729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1360849068.0000015C50752000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmle.	7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740352413.0000000002281000.00000004.00000020.00020000.00000000.sdmp, 7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000003.1740492838.0000000002288000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/fr/license/360-total-security/	360TS_Setup.exe, 360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000003.00000002.1366434447.000002C2D3844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365040245.000002C2D3843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366735784.000002C2D3863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364619028.000002C2D3862000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/en/privacy/60-tot	360TS_Setup.exe, 0000002A.00000003.1854970267.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1854173006.0000000008842000.00000004.00000020.00020000.00000000.sdmp, 360TS_Setup.exe, 0000002A.00000003.1855752775.0000000008842000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/zh-cn/privacy.htmlder	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1443891804.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1444824065.0000000002351000.00000004.00000020.00020000.00000000.sdmp, YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1449273524.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/license.htmloWEn	7FamwTPi2SttiX4DgdTFvBP1.exe, 00000023.00000002.1742508256.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmlde	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1445327048.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
https://www.360totalsecurity.com/zh-cn/license/360-total-security/	360TS_Setup.exe, 0000002A.00000003.1854970267.00000000087C1000.00000004.00000020.00020000.00000000.sdmp	false
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabp=	YBwX8KjTjRCKU7PVUt7ohrmo.exe, 00000012.00000003.1446942011.0000000002351000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy.htmldY	vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688655164.00000000023CD000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688857753.00000000023CE000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000003.1688525214.00000000023C1000.00000004.00000020.00020000.00000000.sdmp, vG59IrPYDLqWmCOO9Pfbpgeu.exe, 0000001E.00000002.1697875146.00000000023CE000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	svchost.exe, 00000010.00000003.1427569515.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1399313091.0000015C50755000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1448354248.0000015C50766000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446796598.0000015C5076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1446963144.0000015C5076E000.00000004.00000020.00020000.00000000.sdmp	false
http://www.360totalsecurity.com/en/privacy	DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000002.1577827505.0000000002245000.00000004.00000020.00020000.00000000.sdmp, DD12FHVAYroWK47l2n2nUb6f.exe, 00000018.00000003.1572060624.0000000002243000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000002.1633863682.00000000022A5000.00000004.00000020.00020000.00000000.sdmp, 87AZujGvMD0DS3bxBzittT7r.exe, 0000001B.00000003.1629073241.00000000022A3000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000002.1366216352.000002C2D383F000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc	svchost.exe, 00000010.00000003.1552419745.0000015C50766000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.76.174.118	unknown	United States	16509	AMAZON-02US	false
54.77.42.29	unknown	United States	16509	AMAZON-02US	false
18.245.60.119	unknown	United States	16509	AMAZON-02US	false
18.66.102.36	unknown	United States	3	MIT-GATEWAYSUS	false
82.145.213.41	unknown	United Kingdom	39832	NO-OPERANO	false
18.245.60.116	unknown	United States	16509	AMAZON-02US	false
151.236.118.173	unknown	Russian Federation	204720	CDNETWORKSRU	false
5.42.96.78	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
18.66.102.108	unknown	United States	3	MIT-GATEWAYSUS	false
104.192.108.17	unknown	United States	55992	QIHOOBeijingQihuTechnologyCompanyLimitedCN	false
40.126.31.67	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
199.232.214.172	unknown	United States	54113	FASTLYUS	false
18.245.60.13	unknown	United States	16509	AMAZON-02US	false
18.66.102.80	unknown	United States	3	MIT-GATEWAYSUS	false
104.20.3.235	unknown	United States	13335	CLOUDFLARENETUS	false
18.245.60.102	unknown	United States	16509	AMAZON-02US	false
104.192.108.20	unknown	United States	55992	QIHOOBeijingQihuTechnologyCompanyLimitedCN	false
82.145.215.156	unknown	United Kingdom	39832	NO-OPERANO	false
20.101.57.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
18.66.102.115	unknown	United States	3	MIT-GATEWAYSUS	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
186.145.236.93	unknown	Colombia	14080	TelmexColombiaSACO	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
190.224.203.37	unknown	Argentina	7303	TelecomArgentinaSAAR	false
108.138.24.221	unknown	United States	16509	AMAZON-02US	false
54.255.136.181	unknown	United States	16509	AMAZON-02US	false
104.21.76.57	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481333
Start date and time:	2024-07-25 07:59:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002C_44.exe
Detection:	MAL
Classification:	mal100.rans.bank.troj.expl.evad.winEXE@134/1278@0/31
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 64% Number of executed functions: 91 Number of non-executed functions: 210
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, MoUsoCoreWorker.exe
Execution Graph export aborted for target 360TS_Setup.exe, PID 1548 because there are no executed function
Execution Graph export aborted for target LisectAVT_2403002C_44.exe, PID 2440 because it is empty
Execution Graph export aborted for target YBwX8KjTjRCKU7PVUt7ohrmo.exe, PID 8140 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeleteValueKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: LisectAVT_2403002C_44.exe

Simulations

Behavior and APIs

Time	Type	Description
02:00:05	API Interceptor	4x Sleep call for process: svchost.exe modified
02:00:16	API Interceptor	3700036x Sleep call for process: MSBuild.exe modified
03:27:04	API Interceptor	6x Sleep call for process: WerFault.exe modified
03:27:29	API Interceptor	2x Sleep call for process: YBwX8KjTjRCKU7PVUt7ohrmo.exe modified
08:00:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFBhuG7x7cuyTo0UEY1FLx3F.bat
09:27:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat
09:27:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jLw9YTEqZHJtGfgAlmf6QvQQ.bat
09:27:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jThuXZ4voJcJhbCjFEaBHzHv.bat
09:27:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kGFe11FaCHj8Cq6LEsxAKO9Q.bat
09:28:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kV5jXmTcsMiETlF8iRGxyKFt.bat
09:28:25	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lKmPsTV4YA7CYpmS0qsQItFO.bat
09:28:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sksCZf6BD8bmyHJVUY7BoElf.bat
09:28:54	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vnAGf0bQ9J14q0sRMygGsW8l.bat
09:29:08	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run QHSafeTray "C:\Program Files (x86)\360\Total Security\safemon\360Tray.exe" /start
09:29:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0hV0gAK22xvEtgvyKQ5yOs5n.bat
09:29:40	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Sw8mVAoATaNcrREXaxGRBLH.bat
09:30:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12nUoaii9IJe2xngOop8SVeq.bat
09:30:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2oUhX6pmbSfP1XUMNBGb5PG7.bat
09:30:44	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35EAKu09UWgttv2GImwXAjnd.bat

Process:	C:\Users\user\Pictures\360TS_Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	104329184
Entropy (8bit):	7.994786831397016
Encrypted:	true
SSDEEP:	1572864:rrhlntXB9C/S9UA7dhZ76B/MCQf7Z48YHkatX1lg8zOYr6BgUD82LEOtYI:HnGWUA7dhwB0F14JHkax128OYr6982N
MD5:	B56AE4EF6D244BC96CE23A140FF0411E
SHA1:	8306784137B831B808875A08ECE410116E0154B2
SHA-256:	F88AE4717D54F92C3E939014C20B3C99FB968BE9E8092D09AF146C53CE884B48
SHA-512:	A8AB91BE36DDDC3A6AA634F21F94927101CC6C4DEA65B4EFFDEC97598D97F52D60474E451D4B82AFF0249F07F18E330DDE1BF34D4AE269ED9CA20D5134AF8073
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................i.r......q......7.......g......`......7.......7.......n.............`.B....p......u.....Rich....................PE..L...(.Cf......................(.....K.............@..........................`8.....zs8...@..................................4..<....P...'"...........7.H)....6.L.......................................@............... ...\...@....................text...\|........................... ..`.rdata...E.......F..................@..@.data........P.......4..............@....tls.........@......................@....rsrc....'"..P...(".................@..@.reloc........6.......5.............@..B........................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.35901589905449205
Encrypted:	false
SSDEEP:	6:6xboaaD0JOCEfMuaaD0JOCEfMKQmDkxboaaD0JOCEfMuaaD0JOCEfMKQmD:ZaaD0JcaaD0JwQQnaaD0JcaaD0JwQQ
MD5:	7D48941DB05D2D1C9A0C52739933543F
SHA1:	4FF1446A7D5DA6BBEA145000B00A9F4FFED90930
SHA-256:	C436AB7F36E238365FDDF5BDFEB9EBFEFACE94AD0FEB79C571182DA968815D87
SHA-512:	41C7DA95797437840014733F7021883E034503A9D8F07F7C9A0B1131A869A29A6E00D4E9FA99EEDAFBDD2F0DFDAFFB0A7671D8F666DA0E2023CA887E4BA0FB62
Malicious:	false
Reputation:	unknown
Preview:	*.>...........f.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................f.............................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.176585345909459
Encrypted:	false
SSDEEP:	192:vGfWB7td0WbkrjeBSgKjzuiFoZ24IO86arW:OfWdteWbkrjUOzuiFoY4IO86p
MD5:	65608BF1367D1006C9751AB195FD314F
SHA1:	678996B91E3B029AC14BC9F439FE9B1D9FDBFFD8
SHA-256:	C65E2C18929025D0DFF926897DAC8526811E37068656F0C87CF828B366649812
SHA-512:	E20E92B24245EA2C3F38344EC0B3C94E601143AEACA89577DFA89362DFBA95BF195D91364AD7E0CC2B655C5021FFD55829E984F96F60FC78E23F94A479DD2744
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.6.6.0.4.6.0.8.3.5.4.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.6.6.0.4.6.6.1.4.7.8.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.8.7.f.6.7.a.-.a.f.e.b.-.4.a.2.1.-.8.b.b.f.-.2.2.9.c.e.4.6.b.7.3.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.f.f.5.9.c.f.-.7.7.7.8.-.4.b.6.3.-.9.5.7.a.-.8.d.7.d.3.4.d.2.a.c.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.F.a.m.w.T.P.i.2.S.t.t.i.X.4.D.g.d.T.F.v.B.P.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.3.6.0.I.n.s.t.a.l.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.2.4.-.0.0.0.1.-.0.0.1.4.-.3.5.c.0.-.6.1.1.8.6.4.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.d.7.f.4.c.0.0.f.f.a.3.2.0.f.c.4.6.3.8.6.6.e.d.b.7.0.c.2.5.8.a.0.0.0.0.0.9.0.4.!.0.0.0.0.b.f.f.5.c.e.9.1.0.f.7.5.a.e.a.e.3.

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.6853795959366797
Encrypted:	false
SSDEEP:	384:xdW3Hirma4o9NLNzYvEtM0m8iq6rzuiF7Y4lO85Vw7:xkHirmaP5mbrzuiF7Y4lO8r
MD5:	DBDCDE79F965E0CC68F91BDC8CA5591F
SHA1:	1349108BAD5113AAC8ED474041AFED10BFDBC18E
SHA-256:	D9642472E41F0728AB2AA68C72097187BF6DE8DCAF423BC0B609E5F7FA4E8AE8
SHA-512:	26477B7184FC5CCCA7D33FC459C9883196A3213AD3C07A97F63E3245CF2B2D8439542CE5BABBC503C904F8A942C84BB8C5F177210C457611A32C2F3633E06678
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.6.0.8.1.5.9.9.5.7.6.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.6.0.8.1.8.1.0.5.1.3.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.d.6.4.a.9.3.-.2.5.8.5.-.4.c.a.c.-.a.a.d.3.-.8.8.0.9.d.6.5.9.c.4.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.3.2.0.6.2.c.-.a.b.c.1.-.4.b.e.e.-.b.a.0.c.-.4.3.7.5.4.8.b.4.7.4.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.i.s.e.c.t.A.V.T._.2.4.0.3.0.0.2.C._.4.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.a.y.a.r.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.8.8.-.0.0.0.1.-.0.0.1.4.-.a.7.3.0.-.3.6.e.5.5.7.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.5.b.1.9.4.8.2.8.6.1.4.0.7.f.4.d.2.1.e.3.d.0.9.d.c.c.7.1.e.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.5.4.0.8.2.f.6.4.c.2.7.b.6.3.a.b.3.5.9.2.7.b.8.b.5.b.6.9.f.1.5.5.1.8.1.4.6.c.!.L.

Process:	C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 654 bytes, 1 file, at 0x2c +A "setup.ini", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	654
Entropy (8bit):	7.51650500462454
Encrypted:	false
SSDEEP:	12:w5tr+Mvdx/e7SdReCBWhgzQDMo78Oe536Ir44RGyjND:wlviGC7husBe5qk44RX
MD5:	4E1C02465CE0D7E70D5DDA7E5C30A387
SHA1:	488AF13A865E5FE8CFC76D638B2F44EF0F662441
SHA-256:	2225BB63D8FD596D07B2858DC01997E76EF4E83E6283E3CABEEEA21947C90E97
SHA-512:	3E4A75F9B3CF3C0F46BE9A313B2D20C56DC3104B11ADA8928BA6342D737A5D2B20E8712B645777DBD0319DBA318468877F1065696159DD572AA4B56A9C195434
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,...................F.......>..........X.u .setup.ini.H1..@.>.CKMR.j.0.\|7...}Ott....]I.m.&..,!....N..v...=N[..A>....g&.j...X...dZ.v.m.c...I.<_W.s.~+..MqB...^.C..&q.?.y.^.i......._.Pir.E<.K.Z!M.!JO9.NK.(3.I....4....\|...}>...V.&..Z..7..n>......a[...K.\|<T...f..u]V.%...,..a4_..E.~..../~......w.u.w.?..o.;...R....r..pCs .Q..wg.3..).^.C..A8...0......"B.n.rN.3.A..m.5.>.\ooo..._.bUL.l...b6........-....a0...."t.,..F........U;...........O......#.....^+T\.5.9.r}...p....K....q...)'........;<..+o3.S<.N.K.Y."..aT.".f.q.(...h#.(e-G.`.3......nT.f.k..Q..2..(RX.Y....x@sArA.. ..JH..V... .q!...G......<6a..tG...9g..

Process:	C:\Users\user\Pictures\5HEEZMiEnWqR242MeEoxlGRh.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 654 bytes, 1 file, at 0x2c +A "setup.ini", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	654
Entropy (8bit):	7.51650500462454
Encrypted:	false
SSDEEP:	12:w5tr+Mvdx/e7SdReCBWhgzQDMo78Oe536Ir44RGyjND:wlviGC7husBe5qk44RX
MD5:	4E1C02465CE0D7E70D5DDA7E5C30A387
SHA1:	488AF13A865E5FE8CFC76D638B2F44EF0F662441
SHA-256:	2225BB63D8FD596D07B2858DC01997E76EF4E83E6283E3CABEEEA21947C90E97
SHA-512:	3E4A75F9B3CF3C0F46BE9A313B2D20C56DC3104B11ADA8928BA6342D737A5D2B20E8712B645777DBD0319DBA318468877F1065696159DD572AA4B56A9C195434
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,...................F.......>..........X.u .setup.ini.H1..@.>.CKMR.j.0.\|7...}Ott....]I.m.&..,!....N..v...=N[..A>....g&.j...X...dZ.v.m.c...I.<_W.s.~+..MqB...^.C..&q.?.y.^.i......._.Pir.E<.K.Z!M.!JO9.NK.(3.I....4....\|...}>...V.&..Z..7..n>......a[...K.\|<T...f..u]V.%...,..a4_..E.~..../~......w.u.w.?..o.;...R....r..pCs .Q..wg.3..).^.C..A8...0......"B.n.rN.3.A..m.5.>.\ooo..._.bUL.l...b6........-....a0...."t.,..F........U;...........O......#.....^+T\.5.9.r}...p....K....q...)'........;<..+o3.S<.N.K.Y."..aT.".f.q.(...h#.(e-G.`.3......nT.f.k..Q..2..(RX.Y....x@sArA.. ..JH..V... .q!...G......<6a..tG...9g..

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1524456
Entropy (8bit):	6.801769891654878
Encrypted:	false
SSDEEP:	24576:3D1YS7FpyUxT3DC2C1zj1SqdAGFQZIx2C45UJoeXH:OQ5xT3DDazjYq+ZIwL5UJoe3
MD5:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
SHA1:	BFF5CE910F75AEAE37583A63828A00AE5F02C4E7
SHA-256:	DD0E8944471F44180DD44807D817E0B8A1C931FC67D48278CDB7354D98567E7C
SHA-512:	06FAE66DA503EB1B9B4FBE63A5BB98C519A43999060029C35FE289E60B1CB126A6278C67CE90F02E05B893FCAEA6D54F9DEB65BC6DA82561487A7754F50C93D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:..i..i..iM..i..i...i..i...iY.i...i..i..i..i...i..i...i..i..iB.i...i..i..i..i...i..iRich..i................PE..L......a.............................<............@..................................$.......................................Y..(.... ..`V..............P,..........@..................................@...............`...pD..@....................text............................... ..`.rdata...V.......X..................@..@.data...@....p...h...T..............@....rsrc...`V... ...X..................@..@................................................................................................................................................................................................................................................................................................................................................

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.952430779027075
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	LisectAVT_2403002C_44.exe
File size:	405'761 bytes
MD5:	2427ff6ae2a31ddb6249669ce8e470cd
SHA1:	bc54082f64c27b63ab35927b8b5b69f15518146c
SHA256:	dc3f8a774e309c5f9789137fe97d0767da4399d09d5f7d4ec3c912409aaf4417
SHA512:	7daa1e1609153f44352ab220a979d2c8417d01776fc238f0bfe9bcb8714f320cbf1eeb10bfd4e864918e78e20c0fb563750adbf8c298bc19e3ac305cf70e7390
SSDEEP:	6144:9foVL+C+YZTWgnFaF7VVeTJuFi5YFvfYdAE2aJi3yeYKmMvfsNVY1cvG35y:9c9ZTWaFaFxVQ2YdAE2aJi3uKIN
TLSH:	86841260B7C8A267E8DF5B725530958F0739F7E26886D52E68C250065CB7FE0CB26B13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....E..........."...0.&................ ....@...... ..............................rT....`................................

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC245A31E [Thu Apr 13 21:14:06 2073 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x61818	0x18e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa274	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8326	0x8400	f22e02ad4cb281be8383c2b59c7bbfeb	False	0.5105054450757576	data	5.835095199435863	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x596	0x600	da8928f5ea9bdbe30e2f133df8c0a693	False	0.41015625	data	4.0285115574679775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x30c	data			0.4230769230769231
RT_MANIFEST	0xc3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Target ID:	0
Start time:	02:00:04
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002C_44.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002C_44.exe"
Imagebase:	0x25163b90000
File size:	405'761 bytes
MD5 hash:	2427FF6AE2A31DDB6249669CE8E470CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1541695751.0000025165D45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	02:00:08
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	02:00:09
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	02:00:13
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	12
Start time:	02:00:15
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xd50000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	16
Start time:	02:00:18
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	02:00:25
Start date:	25/07/2024
Path:	C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\YBwX8KjTjRCKU7PVUt7ohrmo.exe" /s
Imagebase:	0x400000
File size:	1'524'456 bytes
MD5 hash:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	03:27:01
Start date:	25/07/2024
Path:	C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\r0raHcCIH1k2YsFlLn2OIQyk.exe" /s
Imagebase:	0x400000
File size:	1'524'456 bytes
MD5 hash:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002C_44.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\1721892447_0\360TS_Setup.exe

C:\Program Files (x86)\360\Total Security\config.ini

C:\Program Files (x86)\360\Total Security\i18n\i18n.ini

C:\Program Files (x86)\360\Total Security\softmgr\AdvUtils.ini

C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna.exe

C:\ProgramData\360TotalSecurity\DesktopPlus\360DeskAna64.exe

C:\ProgramData\360TotalSecurity\DesktopPlus\360Util.dll

C:\ProgramData\360TotalSecurity\DesktopPlus\360Util64.dll

C:\ProgramData\360TotalSecurity\DesktopPlus\360base.dll

C:\ProgramData\360TotalSecurity\DesktopPlus\360base64.dll

Windows Analysis Report
LisectAVT_2403002C_44.exe

Target ID:	22
Start time:	03:27:02
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 336 -ip 336
Imagebase:	0xca0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	03:27:07
Start date:	25/07/2024
Path:	C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\DD12FHVAYroWK47l2n2nUb6f.exe" /s
Imagebase:	0x400000
File size:	1'524'456 bytes
MD5 hash:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	03:27:09
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1928 -ip 1928
Imagebase:	0xca0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	03:27:13
Start date:	25/07/2024
Path:	C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\87AZujGvMD0DS3bxBzittT7r.exe" /s
Imagebase:	0x400000
File size:	1'524'456 bytes
MD5 hash:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	03:27:14
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6228 -ip 6228
Imagebase:	0xca0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	03:27:15
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 976
Imagebase:	0xca0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	03:27:18
Start date:	25/07/2024
Path:	C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\vG59IrPYDLqWmCOO9Pfbpgeu.exe" /s
Imagebase:	0x400000
File size:	1'524'456 bytes
MD5 hash:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	03:27:20
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6844 -ip 6844
Imagebase:	0xca0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	03:27:23
Start date:	25/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aWJAM7LmGVjrqyGFkBX76m6y.bat" "
Imagebase:	0x7ff7fe140000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	03:27:24
Start date:	25/07/2024
Path:	C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\7FamwTPi2SttiX4DgdTFvBP1.exe" /s
Imagebase:	0x400000
File size:	1'524'456 bytes
MD5 hash:	CD4ACEDEFA9AB5C7DCCAC667F91CEF13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true