sality | 36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51

Modify Existing Service

T1031

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

Modify Registry

Change Default File Association

T1042

Processes:

360safe.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Safe360Ext	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Safe360Ext\ = "{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Safe360Ext\ = "{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}"	regsvr32.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Program Files (x86)\360\360Safe\deepscan\cloudcom2.dll	cryptone

Downloads MZ/PE file

Drops file in Drivers directory 8 IoCs

Processes:

360safe.exezhudongfangyu.exe

description	ioc	process
File created	C:\Windows\system32\drivers\360AntiHacker64.sys	360safe.exe
File created	C:\Windows\system32\drivers\BAPIDRV64.SYS	360safe.exe
File created	C:\Windows\system32\drivers\360FsFlt.sys	zhudongfangyu.exe
File opened for modification	C:\Windows\system32\drivers\360FsFlt.sys	zhudongfangyu.exe
File created	C:\Windows\system32\drivers\efimon.sys	zhudongfangyu.exe
File created	C:\Windows\system32\drivers\360netmon.sys	360safe.exe
File created	C:\Windows\system32\drivers\360Box64.sys	360safe.exe
File created	C:\Windows\system32\drivers\360Camera64.sys	360safe.exe

Executes dropped EXE 3 IoCs

Processes:

360safe.exezhudongfangyu.exezhudongfangyu.exe

pid process

1396 360safe.exe
1912 zhudongfangyu.exe
556 zhudongfangyu.exe

pid	process
1396	360safe.exe
1912	zhudongfangyu.exe
556	zhudongfangyu.exe

Registers COM server for autorun 1 TTPs 8 IoCs

Registry Run Keys / Startup Folder

Processes:

regsvr32.exe360safe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}\InprocServer32\ = "C:\\Program Files (x86)\\360\\360Safe\\Utils\\shell360ext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32\ = "C:\\Program Files (x86)\\360\\360Safe\\Utils\\shell360ext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7A148181-CEB9-4F5E-B5F2-CDC5B68BD3A8}\InprocServer32	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7A148181-CEB9-4F5E-B5F2-CDC5B68BD3A8}\InprocServer32\ = "C:\\Program Files (x86)\\360\\360Safe\\safemon\\360UDiskGuard64.dll"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}\InprocServer32	regsvr32.exe

Sets service image path in registry 2 TTPs 3 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

360safe.exezhudongfangyu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ZhuDongFangYu\ImagePath = "\"C:\\Program Files (x86)\\360\\360Safe\\deepscan\\zhudongfangyu.exe\""	zhudongfangyu.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BAPIDRV\ImagePath = "\\SystemRoot\\System32\\Drivers\\BAPIDRV64.SYS"	360safe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1448-55-0x0000000002040000-0x00000000030CE000-memory.dmp	upx
behavioral1/memory/1448-57-0x0000000002040000-0x00000000030CE000-memory.dmp	upx
behavioral1/memory/1448-61-0x0000000002040000-0x00000000030CE000-memory.dmp	upx

Loads dropped DLL 47 IoCs

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe360safe.exeregsvr32.exezhudongfangyu.exezhudongfangyu.exe

pid	process
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1584	regsvr32.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1396	360safe.exe
1912	zhudongfangyu.exe
1912	zhudongfangyu.exe
1912	zhudongfangyu.exe
556	zhudongfangyu.exe
556	zhudongfangyu.exe
556	zhudongfangyu.exe
1396	360safe.exe
556	zhudongfangyu.exe
1396	360safe.exe
556	zhudongfangyu.exe
556	zhudongfangyu.exe
556	zhudongfangyu.exe
1396	360safe.exe
1396	360safe.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

360safe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360Safetray = "\"C:\\Program Files (x86)\\360\\360Safe\\safemon\\360Tray.exe\" /start"	360safe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
File opened (read-only)	\??\H:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\I:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\M:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\O:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\S:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\G:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\W:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\X:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\Y:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\Z:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\K:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\Q:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\T:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\U:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\V:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\E:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\F:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\J:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\L:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\N:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\P:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File opened (read-only)	\??\R:	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

360safe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	360safe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1"	360safe.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description ioc process

File opened for modification \??\PhysicalDrive0 36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description ioc process

File opened for modification C:\autorun.inf 36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Drops file in System32 directory 1 IoCs

Processes:

360safe.exe

description ioc process

File created C:\Windows\SysWOW64\360SoftMgr.cpl 360safe.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
File opened for modification	C:\autorun.inf	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
File created	C:\Windows\SysWOW64\360SoftMgr.cpl	360safe.exe

Drops file in Program Files directory 21 IoCs

Processes:

360safe.exezhudongfangyu.exe36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
File created	C:\Program Files (x86)\360\360Safe\MiniUI.dll	360safe.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg-journal	zhudongfangyu.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\updatecfg.ini	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninst\filelist.xml	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninstbackup\UninstallRootDirFileList.xml	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\{1708D1DC-F1F8-4267-A57A-D1CDFC6BF573}.tf	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninstbackup\filelist.xml	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninst\Register.xml	360safe.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\AntiArp\dpath.ini	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\safemon\7z.dll	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\{49866394-1937-45f4-8A56-B69F2E82AF1C}.tf	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninst\360safe.setup	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninst\Plugin.xml	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninstbackup\360safe.setup	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninstbackup\Plugin.xml	360safe.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninstbackup\Register.xml	360safe.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\safemon\param.ini	360safe.exe
File opened for modification	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	zhudongfangyu.exe
File created	C:\Program Files (x86)\360\360Safe\{013DBA46-DD62-451d-9D7B-2CEDEC8EA691}.tf	360safe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
File created	C:\Program Files (x86)\360\360Safe\config\uninst\UninstallRootDirFileList.xml	360safe.exe

Drops file in Windows directory 1 IoCs

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Modifies registry class 64 IoCs

Processes:

360safe.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\TypeLib\Version = "1.0"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7418AFE6-6A10-479B-99FA-4AE0D39026A9}\1.0\0\win32\ = "C:\\Program Files (x86)\\360\\360Safe\\SoftMgr\\360SpeedTime.dll"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\TypeLib	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066F24B7-D820-4176-8B55-058A8F1BA583}	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZHUSHOU360\Shell	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon\ = "SafeMon Class"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ = "IShellContextMenu"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\TypeLib	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SpeedTimeImpl.SpeedTimeImpl.1\ = "SpeedTimeImpl Class"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{066F24B7-D820-4176-8B55-058A8F1BA583}\TypeLib	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZHUSHOU360\	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{451A36CF-D7AA-477D-AAD8-6AB2E2F043A1}\ = "shell360ext"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32\ = "{26CD0715-0722-479B-A8C7-29A911171774}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}\InprocServer32\ThreadingModel = "Apartment"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7418AFE6-6A10-479B-99FA-4AE0D39026A9}\1.0\0\win32	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\shell360ext.DLL\AppID = "{451A36CF-D7AA-477D-AAD8-6AB2E2F043A1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{338CE0CA-987B-4CC9-8297-5430E7DCFD2A}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7A148181-CEB9-4F5E-B5F2-CDC5B68BD3A8}\InprocServer32\ = "C:\\Program Files (x86)\\360\\360Safe\\safemon\\360UDiskGuard64.dll"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Safe360Ext	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7A148181-CEB9-4F5E-B5F2-CDC5B68BD3A8}	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7A148181-CEB9-4F5E-B5F2-CDC5B68BD3A8}\ = "我的U盘 (A:)"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32\ThreadingModel = "Both"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32\ = "{26CD0715-0722-479B-A8C7-29A911171774}"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SpeedTimeImpl.SpeedTimeImpl.1	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZHUSHOU360	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26CD0715-0722-479B-A8C7-29A911171774}\ProxyStubClsid32	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon.1\CLSID	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7418AFE6-6A10-479B-99FA-4AE0D39026A9}\1.0\HELPDIR	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZHUSHOU360\DefaultIcon	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{BB67E9B5-A1A3-4206-A443-DE93D592682C}"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SpeedTimeImpl.SpeedTimeImpl.1\CLSID	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Safe360Ext	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7418AFE6-6A10-479B-99FA-4AE0D39026A9}\1.0\0	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{066F24B7-D820-4176-8B55-058A8F1BA583}\ProxyStubClsid32	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{066F24B7-D820-4176-8B55-058A8F1BA583}\TypeLib\ = "{7418AFE6-6A10-479B-99FA-4AE0D39026A9}"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066F24B7-D820-4176-8B55-058A8F1BA583}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}\ = "ShellContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{338CE0CA-987B-4CC9-8297-5430E7DCFD2A}\1.0\0\win64\ = "C:\\Program Files (x86)\\360\\360Safe\\Utils\\shell360ext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Safe360Ext\ = "{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}"	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID\ = "Safemon.NavigatMon"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26CD0715-0722-479B-A8C7-29A911171774}	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AD6078-180A-4924-BB11-9C3DA8A42C05}\TypeLib	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "SafeMon Class"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C0F6D57-E799-4C8A-A319-8E2B4D724CF0}\InprocServer32	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SpeedTimeImpl.SpeedTimeImpl	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AD6078-180A-4924-BB11-9C3DA8A42C05}\VersionIndependentProgID\ = "SpeedTimeImpl.SpeedTimeImpl"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066F24B7-D820-4176-8B55-058A8F1BA583}\TypeLib	360safe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon\CurVer\ = "Safemon.NavigatMon.1"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{338CE0CA-987B-4CC9-8297-5430E7DCFD2A}\1.0	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AD6078-180A-4924-BB11-9C3DA8A42C05}\TypeLib\ = "{7418AFE6-6A10-479B-99FA-4AE0D39026A9}"	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AD6078-180A-4924-BB11-9C3DA8A42C05}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	360safe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7418AFE6-6A10-479B-99FA-4AE0D39026A9}	360safe.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

pid	process
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

464
464
464
464
464

pid	process
464
464
464
464
464

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe360safe.exezhudongfangyu.exe

description	pid	process
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeManageVolumePrivilege	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
Token: SeDebugPrivilege	1396	360safe.exe
Token: SeDebugPrivilege	1396	360safe.exe
Token: SeDebugPrivilege	1396	360safe.exe
Token: SeDebugPrivilege	556	zhudongfangyu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe360safe.exe

description	pid	process	target process
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1812	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1396	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	360safe.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1396 wrote to memory of 1584	1396	360safe.exe	regsvr32.exe
PID 1448 wrote to memory of 1232	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	taskhost.exe
PID 1448 wrote to memory of 1320	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Dwm.exe
PID 1448 wrote to memory of 1384	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	Explorer.EXE
PID 1448 wrote to memory of 1184	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1448 wrote to memory of 1168	1448	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe	DllHost.exe
PID 1396 wrote to memory of 1912	1396	360safe.exe	zhudongfangyu.exe
PID 1396 wrote to memory of 1912	1396	360safe.exe	zhudongfangyu.exe
PID 1396 wrote to memory of 1912	1396	360safe.exe	zhudongfangyu.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe
"C:\Users\Admin\AppData\Local\Temp\36ef019e36c07eb2c3bb4c45dabecc750569dcb17d1f7f5867133018ba319c51.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1448

C:\Users\Admin\AppData\Local\Temp\360safe.exe
"C:\Users\Admin\AppData\Local\Temp\360safe.exe" /S /D=C:\Program Files (x86)\360\360Safe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll"
4⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1584

C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe
"C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe" /InstallAndStart
4⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
PID:1912

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1168

C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe
"C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Change Default File Association

T1042

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools