Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
ad.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC,
Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required
to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
initial sample
|
 |
|
|
C:\Windows\Installer\MSIB6D3.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
:wtfbbq (copy)
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Config.Msi\62b2e9.rbs
|
data
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\MSIB151.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIB22F.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIB25F.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIB29F.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\sharepoint\360total.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\62b2e8.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC,
Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required
to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
dropped
|
||
|
C:\Windows\Installer\MSIB539.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSIB5A8.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSIB616.tmp
|
data
|
dropped
|
||
|
C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\Temp\~DF0283B244C6B5E337.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DF1AC3CFD0775125FE.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF2073DE2178C8B571.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF3E7EE7BCE9AFA6E3.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF4AAB101AFF98D1A9.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DF5842B46601C1DFCE.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DF71DE46FB15D5538B.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF73764F6D5903AF00.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF7CA5B0C63524655E.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DFBD93963318F8F7CE.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DFE275FC13EEECFB01.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DFEA62059097F75191.TMP
|
data
|
dropped
|
There are 21 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
|
|
|
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
|
|
|
C:\Windows\Installer\MSIB6D3.tmp
|
"C:\Windows\Installer\MSIB6D3.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
|
|
|
|
C:\Windows\System32\rundll32.exe
|
"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
|
|
|
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding CFBB24A404B21769C19C85B2027D69FC C
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 02B62BF455D61FC50D15E7A41AF45BC1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://wrankaget.site/live/
|
|
||
|
https://jarinamaers.shop/
|
unknown
|
|
|
|
https://jarinamaers.shop/live/
|
104.21.46.75
|
|
|
|
https://jarinamaers.shop/live/IP
|
unknown
|
||
|
https://jarinamaers.shop/live/5
|
unknown
|
||
|
https://jarinamaers.shop/.b
|
unknown
|
||
|
https://jarinamaers.shop/live/r
|
unknown
|
||
|
http://pconf.f.360.cn/safe_update.php
|
unknown
|
||
|
https://jarinamaers.shop/x
|
unknown
|
||
|
ftp://ftp%2desktop.ini
|
unknown
|
||
|
https://jarinamaers.shop/fb
|
unknown
|
||
|
https://jarinamaers.shop/rRb&u
|
unknown
|
||
|
https://jarinamaers.shop/live/RYPT32.dll.mui3N
|
unknown
|
||
|
https://jarinamaers.shop/live/06
|
unknown
|
||
|
https://jarinamaers.shop/live/zTEum
|
unknown
|
||
|
http://pscan.f.360.cn/safe_update.php
|
unknown
|
||
|
https://jarinamaers.shop/live/ace
|
unknown
|
||
|
http://dr.f.360.cn/scanlist
|
unknown
|
||
|
https://www.thawte.com/cps0/
|
unknown
|
||
|
https://jarinamaers.shop/live/I
|
unknown
|
||
|
http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
|
unknown
|
||
|
https://www.thawte.com/repository0W
|
unknown
|
||
|
http://sconf.f.360.cn/client_security_conf
|
unknown
|
||
|
http://dr.f.360.cn/scan
|
unknown
|
||
|
https://jarinamaers.shop/d
|
unknown
|
||
|
https://www.advancedinstaller.com
|
unknown
|
There are 16 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
jarinamaers.shop
|
104.21.46.75
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
104.21.46.75
|
jarinamaers.shop
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\62b2e9.rbs
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\62b2e9.rbsLow
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Microsoft\Installer\
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1003\Components\C72CC84B32896524285338B4DFD2D0BB
|
E927531B47501D447B1AE64455F005B6
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1003\Components\F5D323A437D662C4E893EB9882AD31BE
|
E927531B47501D447B1AE64455F005B6
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1003\Components\895F9FDA48B79C541BAC8E90865A83AB
|
E927531B47501D447B1AE64455F005B6
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\HuMaster LLC\
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Local\sharepoint\
|
||
|
HKEY_CURRENT_USER\SOFTWARE\HuMaster LLC\360 Total
|
Version
|
||
|
HKEY_CURRENT_USER\SOFTWARE\HuMaster LLC\360 Total
|
Path
|
There are 5 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2095BA10000
|
direct allocation
|
page execute and read and write
|
|
|
|
2268D6C0000
|
direct allocation
|
page read and write
|
|
|
|
2268D6D0000
|
direct allocation
|
page execute and read and write
|
|
|
|
2095B810000
|
direct allocation
|
page read and write
|
|
|
|
2095B820000
|
direct allocation
|
page execute and read and write
|
|
|
|
2095BA10000
|
direct allocation
|
page execute and read and write
|
|
|
|
2095BA10000
|
direct allocation
|
page execute and read and write
|
|
|
|
2095BA10000
|
direct allocation
|
page execute and read and write
|
|
|
|
26387CE0000
|
direct allocation
|
page read and write
|
|
|
|
26387CF0000
|
direct allocation
|
page execute and read and write
|
|
|
|
2095BDE0000
|
direct allocation
|
page execute and read and write
|
|
|
|
E23987A000
|
stack
|
page read and write
|
|
|
|
2268D490000
|
heap
|
page read and write
|
||
|
26386300000
|
heap
|
page read and write
|
||
|
2268D470000
|
heap
|
page read and write
|
||
|
263863A0000
|
heap
|
page read and write
|
||
|
2095BEC4000
|
heap
|
page read and write
|
||
|
20959EEF000
|
heap
|
page read and write
|
||
|
2268D498000
|
heap
|
page read and write
|
||
|
180086000
|
unkown
|
page readonly
|
||
|
2095B960000
|
trusted library allocation
|
page read and write
|
||
|
26387E60000
|
direct allocation
|
page execute and read and write
|
||
|
26387F70000
|
direct allocation
|
page execute and read and write
|
||
|
E239AFF000
|
stack
|
page read and write
|
||
|
26387F30000
|
direct allocation
|
page execute and read and write
|
||
|
2095B9E0000
|
heap
|
page read and write
|
||
|
2095BA70000
|
direct allocation
|
page execute and read and write
|
||
|
5BC37AC000
|
stack
|
page read and write
|
||
|
2C70000
|
heap
|
page read and write
|
||
|
2095BA80000
|
direct allocation
|
page execute and read and write
|
||
|
20959E00000
|
heap
|
page read and write
|
||
|
E239878000
|
stack
|
page read and write
|
||
|
26387FC0000
|
direct allocation
|
page execute and read and write
|
||
|
1800C5000
|
unkown
|
page read and write
|
||
|
26387E40000
|
trusted library allocation
|
page read and write
|
||
|
2268D680000
|
heap
|
page read and write
|
||
|
746B87F000
|
stack
|
page read and write
|
||
|
B90000
|
unkown
|
page readonly
|
||
|
26386340000
|
heap
|
page read and write
|
||
|
11D9000
|
heap
|
page read and write
|
||
|
20959F1B000
|
heap
|
page read and write
|
||
|
11AB000
|
heap
|
page read and write
|
||
|
2095BEB0000
|
remote allocation
|
page read and write
|
||
|
2268D685000
|
heap
|
page read and write
|
||
|
B30000
|
unkown
|
page readonly
|
||
|
E2399FB000
|
stack
|
page read and write
|
||
|
3300000
|
trusted library allocation
|
page read and write
|
||
|
B0E000
|
stack
|
page read and write
|
||
|
1070000
|
heap
|
page read and write
|
||
|
A5B000
|
stack
|
page read and write
|
||
|
5BC3A7E000
|
stack
|
page read and write
|
||
|
E2394AC000
|
stack
|
page read and write
|
||
|
BDE000
|
stack
|
page read and write
|
||
|
2095B980000
|
direct allocation
|
page execute and read and write
|
||
|
2095A1E5000
|
heap
|
page read and write
|
||
|
2095BEB0000
|
remote allocation
|
page read and write
|
||
|
2268D660000
|
heap
|
page read and write
|
||
|
180001000
|
unkown
|
page execute read
|
||
|
2268D49E000
|
heap
|
page read and write
|
||
|
26387E40000
|
trusted library allocation
|
page read and write
|
||
|
26387EE0000
|
direct allocation
|
page execute and read and write
|
||
|
B77000
|
unkown
|
page readonly
|
||
|
26386360000
|
heap
|
page read and write
|
||
|
B30000
|
unkown
|
page readonly
|
||
|
2095BA70000
|
direct allocation
|
page execute and read and write
|
||
|
26387F10000
|
direct allocation
|
page execute and read and write
|
||
|
1800C5000
|
unkown
|
page read and write
|
||
|
EFC000
|
stack
|
page read and write
|
||
|
2095BA80000
|
direct allocation
|
page execute and read and write
|
||
|
2095BA70000
|
direct allocation
|
page execute and read and write
|
||
|
B10000
|
heap
|
page read and write
|
||
|
2095BA60000
|
direct allocation
|
page execute and read and write
|
||
|
20959EE8000
|
heap
|
page read and write
|
||
|
26386368000
|
heap
|
page read and write
|
||
|
2C60000
|
heap
|
page read and write
|
||
|
1800C6000
|
unkown
|
page write copy
|
||
|
26387E40000
|
direct allocation
|
page execute and read and write
|
||
|
2268D460000
|
heap
|
page read and write
|
||
|
20959F22000
|
heap
|
page read and write
|
||
|
2EBF000
|
stack
|
page read and write
|
||
|
20959F2E000
|
heap
|
page read and write
|
||
|
2095B960000
|
direct allocation
|
page execute and read and write
|
||
|
2268F1B0000
|
heap
|
page read and write
|
||
|
20959F34000
|
heap
|
page read and write
|
||
|
26387EE0000
|
direct allocation
|
page execute and read and write
|
||
|
20959E80000
|
heap
|
page read and write
|
||
|
117E000
|
stack
|
page read and write
|
||
|
18016C000
|
unkown
|
page readonly
|
||
|
2095BEC0000
|
heap
|
page read and write
|
||
|
2268EFD0000
|
trusted library allocation
|
page read and write
|
||
|
746B8FE000
|
stack
|
page read and write
|
||
|
26387FB0000
|
direct allocation
|
page execute and read and write
|
||
|
2C2F000
|
stack
|
page read and write
|
||
|
2095BEC7000
|
heap
|
page read and write
|
||
|
2268D4C1000
|
heap
|
page read and write
|
||
|
26387E40000
|
trusted library allocation
|
page read and write
|
||
|
746B97E000
|
stack
|
page read and write
|
||
|
2095B960000
|
trusted library allocation
|
page read and write
|
||
|
3200000
|
heap
|
page read and write
|
||
|
746B87B000
|
stack
|
page read and write
|
||
|
138E000
|
stack
|
page read and write
|
||
|
2095BDD0000
|
direct allocation
|
page execute and read and write
|
||
|
B8C000
|
unkown
|
page write copy
|
||
|
B77000
|
unkown
|
page readonly
|
||
|
11BF000
|
heap
|
page read and write
|
||
|
100E000
|
stack
|
page read and write
|
||
|
180000000
|
unkown
|
page readonly
|
||
|
20959E88000
|
heap
|
page read and write
|
||
|
2095BEB0000
|
remote allocation
|
page read and write
|
||
|
1190000
|
heap
|
page read and write
|
||
|
26387F00000
|
direct allocation
|
page execute and read and write
|
||
|
2095BA80000
|
direct allocation
|
page execute and read and write
|
||
|
20959F34000
|
heap
|
page read and write
|
||
|
1198000
|
heap
|
page read and write
|
||
|
2268D810000
|
trusted library allocation
|
page read and write
|
||
|
263862E0000
|
heap
|
page read and write
|
||
|
2095BA10000
|
direct allocation
|
page execute and read and write
|
||
|
2C40000
|
heap
|
page read and write
|
||
|
2268D810000
|
trusted library allocation
|
page read and write
|
||
|
2095B960000
|
trusted library allocation
|
page read and write
|
||
|
1075000
|
heap
|
page read and write
|
||
|
AC0000
|
heap
|
page read and write
|
||
|
2095BA10000
|
direct allocation
|
page execute and read and write
|
||
|
2D7F000
|
stack
|
page read and write
|
||
|
2DBE000
|
stack
|
page read and write
|
||
|
20959F22000
|
heap
|
page read and write
|
||
|
180086000
|
unkown
|
page readonly
|
||
|
2268D810000
|
direct allocation
|
page execute and read and write
|
||
|
2268D4B9000
|
heap
|
page read and write
|
||
|
1800C6000
|
unkown
|
page write copy
|
||
|
180000000
|
unkown
|
page readonly
|
||
|
20959E10000
|
heap
|
page read and write
|
||
|
20959F2E000
|
heap
|
page read and write
|
||
|
E239B7F000
|
stack
|
page read and write
|
||
|
26387F90000
|
direct allocation
|
page execute and read and write
|
||
|
2095BA30000
|
direct allocation
|
page execute and read and write
|
||
|
2095A1E0000
|
heap
|
page read and write
|
||
|
263862D0000
|
heap
|
page read and write
|
||
|
180001000
|
unkown
|
page execute read
|
||
|
B31000
|
unkown
|
page execute read
|
||
|
B31000
|
unkown
|
page execute read
|
||
|
E2398FE000
|
stack
|
page read and write
|
||
|
E239A7F000
|
stack
|
page read and write
|
||
|
B90000
|
unkown
|
page readonly
|
||
|
20959F1B000
|
heap
|
page read and write
|
||
|
26387E40000
|
trusted library allocation
|
page read and write
|
||
|
26386345000
|
heap
|
page read and write
|
||
|
5BC3AFE000
|
stack
|
page read and write
|
||
|
2095B960000
|
trusted library allocation
|
page read and write
|
||
|
20959E30000
|
heap
|
page read and write
|
||
|
2268EFD0000
|
trusted library allocation
|
page read and write
|
||
|
2095BA70000
|
direct allocation
|
page execute and read and write
|
||
|
104E000
|
stack
|
page read and write
|
||
|
E23997D000
|
stack
|
page read and write
|
||
|
18016C000
|
unkown
|
page readonly
|
||
|
26387D40000
|
heap
|
page read and write
|
||
|
746B9FE000
|
stack
|
page read and write
|
||
|
B8C000
|
unkown
|
page read and write
|
||
|
26387F50000
|
direct allocation
|
page execute and read and write
|
||
|
2095BA40000
|
direct allocation
|
page execute and read and write
|
There are 150 hidden memdumps, click here to show them.