3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31-01-2023 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.5MB
MD5

858ee6ceb590822f57d2d98a32e3c5af
SHA1

0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
SHA256

3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
SHA512

ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
SSDEEP

24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew

Score

10^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Windows\system32\drivers\360AvFlt.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\BAPIDRV64.SYS	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360netmon.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360Box64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360Camera64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360AntiHacker64.sys	360TS_Setup.exe

Executes dropped EXE 4 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exePowerSaver.exeQHActiveDefense.exe

pid process

1668 360TS_Setup.exe
2008 360TS_Setup.exe
2028 PowerSaver.exe
760 QHActiveDefense.exe

pid	process
1668	360TS_Setup.exe
2008	360TS_Setup.exe
2028	PowerSaver.exe
760	QHActiveDefense.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Sets service image path in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

360TS_Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360AntiHacker\ImagePath = "System32\\Drivers\\360AntiHacker64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BAPIDRV\ImagePath = "system32\\DRIVERS\\BAPIDRV64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Loads dropped DLL 58 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exePowerSaver.exeQHActiveDefense.exeregsvr32.exe

pid	process
1088	360TS_Setup_Mini.exe
1088	360TS_Setup_Mini.exe
1088	360TS_Setup_Mini.exe
1088	360TS_Setup_Mini.exe
1088	360TS_Setup_Mini.exe
1668	360TS_Setup.exe
1668	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
936	regsvr32.exe
2028	PowerSaver.exe
2008	360TS_Setup.exe
760	QHActiveDefense.exe
760	QHActiveDefense.exe
760	QHActiveDefense.exe
760	QHActiveDefense.exe
760	QHActiveDefense.exe
268	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

360TS_Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHSafeTray.exe\" /start"	360TS_Setup.exe

Checks for any installed AV software in registry 1 TTPs 25 IoCs

Security Software Discovery

T1063

Processes:

360TS_Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Group = "TDI"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Type	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Type = "16"	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\DisplayName = "360 Total Security"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Start = "2"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ObjectName = "LocalSystem"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Start	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\DisplayName	360TS_Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ErrorControl	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ErrorControl = "1"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Group	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ObjectName	360TS_Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

360TS_Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 360TS_Setup.exe
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 360TS_Setup_Mini.exe
File opened for modification \??\PhysicalDrive0 360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\360\Total Security\config\tools\AdvTools.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\safemon\chrome\360webshield.exe.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\safemon\360SPTool.exe.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\WDSafeDown.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\deepscan\DsRes64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\360Win10App.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\libaw.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\it\libdefa.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\ipc\NetDefender.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\Sxin.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\HomeRouterMgr.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\360SelfProtection.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Utils\cef\2623\cef.pak	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\ipc\360ipc.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\ipc\360netd.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\safemon\chrome\360webshield.exe.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\spsafe64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\360P2SP.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\GameBooster.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\lang\TR\SysSweeper.ui.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\TS.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\UrlSettings.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\softmgr\360elam.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\safemon\drvmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\LeakFixHelper64.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\deepscan\cloudsec3.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\dsmain.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\deepscan\dsurls.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\safemon\udisk.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\netmon.tpi	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\netmon\NetworkMon.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\libzdtp.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\InstantSetup.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\libdefa.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\softmgr\stsuglist.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\360netcfg.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\BrowseringProtection.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\deepscan\dsconz.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\deepscan\dsconz.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\360boxld.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\modules\360PatchMgr.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\PromoUtil.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Uninstall.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\I18N.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\ipc\360netd.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\ipc\filemgr.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\safemon\Safemon64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\ipc\filemgr.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Utils\cef\2623\cef_100_percent.pak	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\wdk.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\UrlSettings.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\DumpUper.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\safemon\360procmon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\safemon\Safemon64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\jcloudscan.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\SXIn.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\tr\safemon\safemon.dll.locale	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	360TS_Setup.exe

Modifies registry class 30 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ = "SD360MN Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\ = "SD360MN Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\ = "SD360MN Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID\ = "MenuEx.SD360MN.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID\ = "MenuEx.SD360MN"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer\ = "MenuEx.SD360MN.1"	regsvr32.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PowerSaver.exe360TS_Setup_Mini.exe360TS_Setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB\Blob = 5c000000010000000400000000100000030000000100000014000000f8db7e1c16f1ffd4aaad4aad8dff0f2445184aeb190000000100000010000000fdf830131f605511d717ae8f24143eea1400000001000000140000008570009f77591e8cac3c9f77262819cc9ac18f320f0000000100000020000000ed55f82e1444f79ca9dce826846fdc4e0ea3859e3d26efef412d2fff0c7c8e6c040000000100000010000000e0e22b8b045e62f1b233ee948b8f091520000000010000000906000030820605308203eda0030201020210078f0a9d03df119e434e4fec1bf0235a300d06092a864886f70d01010b0500308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f726974792032303134301e170d3134303532383136343334365a170d3339303532383136353134385a308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f72697479203230313430820222300d06092a864886f70d01010105000382020f003082020a0282020100c20f7f6d49bb39f04d943fe8fb4dc5eb3be1285ab9892a467ea5c333271d82893feb33a1876aeae882b9dac39d77d135c0cb833672a6571912bc15e2c83c7b83623414d5abb6de368ba15a71a65196a70633b3221d146253c2a5af9a40cabe2c485499e72a9368a769190b99693bc1b2acae94dc5fab7e02cade3ca774a68c10a0e5aeb69c35ef838b10e5972aba916b9a6a4595d9d054718e653fc48a53ca1e38470ae9d04184a5da1e66016504e6505b7735f5b42e29320cc6bf5f61ee3220b77c39f911faff605efec669f46f1e1ded1d06e7651e9a112e6344065f31431733e9a32682d44b83124fd2a126032548e13abd84f58ad5b46e1ae871200e45530167ade31e6be8b2e4abfdf53b8eba67af5984cc5c75d09daa5c72c42636a2ac324c6ab1f8331744d2a77d70eeeb70949abceaba1c104b635b38ddd2254504b2f0b35a7c0b0a8e21406437114d96694533e493839ef9b3b51c2b0571ea6dcce748b6b6de805010ca4938b35905704ebd9e880222586489eb40dab12d2d6a40885d23c33ed0f5d5b7908a28543962a2c5c6b1bf74cd8695f9456bccf207eaac5cd336f7a27ab5b472532a063ec337945858b14a71bb5ccd9cb2af109ad943363e528519e7422891118c8ce7bbdfe6c855087375f3960d86b7d2e506b2c08a54a86177207d6cd1feba68f3454aaf1184eb867d2f04f354ea20ffd5db3d250270870203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604148570009f77591e8cac3c9f77262819cc9ac18f32301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201004f2574bd1f624f5f0ff74222d7d1d65304232ec5d5d7072b6b793b5f6d90ed1355d382f1f5028f3ef996267e0d421876fc6055825a86bd113339690fcee0b02bf15d19dfd8d2fa86a4cccdacf0d0ae9a8b2b248f03c1350d20b3dfc742ea77292e0a12fc0b1a458dd931840d8d02c0acfad212bf1e6a343eea8300a348754e72662da1a5129f37a85d4a7759cfd63afc30c5a609a5bfb108e3fb2c9f76c4fb4e611d6d23f3766985eb49bb0df73dd0aa05bcdd3d6e80445ed99a68ecc989c7e61a18f860a0e78cf6e6516f0ee025b863f9f9c20b8c3c9cb2f042cdbec3f5fe4929559c5e8696fba1ed6d2686e8b8208b5cc6e72d31c5aaca7d4b7da059a41efb5071e9afcfd6aa0d99de8e95269731a5f47f6df46815b8e3f7add8efd13875025ffd6d4efcb6fc2f451ba9cad11e7aff75181536c120e45f483a95eb7be4f5f6f4fec94b21a2a9ea8a9925cbe8444090d539b46b239b52bcc0c17e17666e650bf5741596a866ed856854b224e87588644589853c7a656b96e0f259ea4725660f6a1b0c3fd44ae64b26174709fed4d7b8e0cee72f94ad808b6770ccb77bcf1b2bb9d15bbdb8035cb1f01b412ce6535516e74a0e41089937e2a9d76d0e6a45e5ece388a9fdb69bc32820ceabc2936b516553bfa05e7b9d26349a514c8ca638d5865b3c55ee50ec000bcaacdcca10abdf189bd2ac0c8d084515af8535355ae526bc	PowerSaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	360TS_Setup_Mini.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	360TS_Setup_Mini.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	360TS_Setup_Mini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	360TS_Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB	PowerSaver.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

360TS_Setup.exe

pid	process
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe
2008	360TS_Setup.exe

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

360TS_Setup.exe

pid process

460
460
2008 360TS_Setup.exe
2008 360TS_Setup.exe
460
460
460

pid	process
460
460
2008	360TS_Setup.exe
2008	360TS_Setup.exe
460
460
460

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description	pid	process
Token: SeManageVolumePrivilege	1088	360TS_Setup_Mini.exe
Token: SeLoadDriverPrivilege	2008	360TS_Setup.exe
Token: SeLoadDriverPrivilege	2008	360TS_Setup.exe
Token: SeDebugPrivilege	2008	360TS_Setup.exe
Token: SeDebugPrivilege	2008	360TS_Setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

1088 360TS_Setup_Mini.exe
1088 360TS_Setup_Mini.exe
1088 360TS_Setup_Mini.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

1088 360TS_Setup_Mini.exe
1088 360TS_Setup_Mini.exe
1088 360TS_Setup_Mini.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exe

description	pid	process	target process
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1088 wrote to memory of 1668	1088	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 1668 wrote to memory of 2008	1668	360TS_Setup.exe	360TS_Setup.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 936	2008	360TS_Setup.exe	regsvr32.exe
PID 2008 wrote to memory of 2028	2008	360TS_Setup.exe	PowerSaver.exe
PID 2008 wrote to memory of 2028	2008	360TS_Setup.exe	PowerSaver.exe
PID 2008 wrote to memory of 2028	2008	360TS_Setup.exe	PowerSaver.exe
PID 2008 wrote to memory of 2028	2008	360TS_Setup.exe	PowerSaver.exe
PID 2008 wrote to memory of 760	2008	360TS_Setup.exe	QHActiveDefense.exe
PID 2008 wrote to memory of 760	2008	360TS_Setup.exe	QHActiveDefense.exe
PID 2008 wrote to memory of 760	2008	360TS_Setup.exe	QHActiveDefense.exe
PID 2008 wrote to memory of 760	2008	360TS_Setup.exe	QHActiveDefense.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 268	936	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Program Files (x86)\1675211413_0\360TS_Setup.exe
"C:\Program Files (x86)\1675211413_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
5⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:268

C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2028

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1675211413_0\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll

Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe

Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8

Filesize
2KB

MD5
e3f19580788ce1e1229aac360daf9537

SHA1
ca034b00c27080edb9f518d5f9da97e5a6c20767

SHA256
b2453e292bc9ff4371e4f657622fc9dc143672e5db0a5d878d1d9c3607678a86

SHA512
f440339ff9e80c5ec34fc3428491b0c8af18a228e83e42887f40562f522f414601dc76c5d70a0a264dfbd9c0db5a8607282949df2a44b3b75aca386efea22ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9bf10855213d2d2b26123cd2a04220b8

SHA1
231d2ed3b9098617f196e89cee3c2a82b38b5d40

SHA256
a508e5bc0086119681076c2b05889d6f70047f971342d65792776ab7b53ca1e9

SHA512
df78a9f4ed0296f9a16d17672758411306e1b3664e9c6aece1ec738da350e2ee703f5c4f30167c4d5b54de8d154a7a4dc7250420c024e26063c8521a333e3dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8

Filesize
488B

MD5
6089a1bd6921d74b70583161cd1f4ec2

SHA1
eee18ec0fda6bf7d0e8f33389845d7a280cf1771

SHA256
1481995d83c667605d7a471575449cb7ce8280b0032d50a0ea6c189e2a7a9087

SHA512
bcb7e7e5f831ec6abf54fbe21fd53899bfcb22d4487baafd44b462f825a5874516bdbe27680c91ff6f78d3136c23dad653a57de435047e08f65313006826b0f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90de0b44d60de6ab92c9416ed5fe20ae

SHA1
2ce5b39936cab22c2d8dd990d24b60be246a5819

SHA256
809d7c853a530292259ae0c8f093ac9555bf3812b30f60e45d48a9be5db2e906

SHA512
4f4325b068177e83488d9e156bead312ce8daf78ad5bcf0d40e2642ef33a7b4cd3cf9fd1b7ccde2444b2688d17c073ee7d37ab22a4e4aa96bbfbf5d767483063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
2f4e6173e668dc61bdfb5aac707eb1ee

SHA1
2c64372628507ac3895947e272f78eb58ca050f4

SHA256
f8ec09a8dd65416aaa6fa963a0d8ad7a8b5473fed6754df29d9cc59f182546d7

SHA512
3a36745b803ee15c41e058db66634f9a45b6ab735f31d47ca003df476b47f163070ecbd47a887174936ff0c617a9ded761b967ae32551e96922faf7e6653b932

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
\Program Files (x86)\1675211413_0\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
\Program Files (x86)\360\Total Security\360NetBase.dll

Filesize
1.4MB

MD5
14c6b4bbd31f6fd13530bc941cc71d1a

SHA1
ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

SHA256
401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

SHA512
c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

Download Submit
\Program Files (x86)\360\Total Security\360TSCommon.dll

Filesize
483KB

MD5
fd9ec3f6ae3ec4e72c7d8adb9d977480

SHA1
304b83eb514354a86c9b136ac32badcec616fed8

SHA256
deddae3c60a724e167107cda7d4ad0481d8ab451f61081eff7730d0f114da918

SHA512
22a47674c2000c175594e8b9f95d23665481a2f2c84f8870a4ad58095aa107b9a0ba61a5315ebdfcd1ec6a4b3031bb3e21ee6e2624d57daae20c587592cce5fd

Download Submit
\Program Files (x86)\360\Total Security\I18N.dll

Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
\Program Files (x86)\360\Total Security\MenuEx64.dll

Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
\Program Files (x86)\360\Total Security\QHSafeMain.exe

Filesize
4.9MB

MD5
23de0575cc6db3b843ed86765fc315d3

SHA1
f8495e703dc1da0464358a8a109c3f7524f148e6

SHA256
8bf27f702cafe890916a9b8b41954d2deaae281f2e3a5a797d1adac8b93d2a7b

SHA512
65baf75a7f0006062d05b1471f7d66d6c8e63311b41fed63c3030e719d13a20287296380aee45668a18dfbb7d6a34261f3b33e2b0098b6f90fb31a8201dc61fa

Download Submit
\Program Files (x86)\360\Total Security\QHSafeMain.exe

Filesize
4.9MB

MD5
23de0575cc6db3b843ed86765fc315d3

SHA1
f8495e703dc1da0464358a8a109c3f7524f148e6

SHA256
8bf27f702cafe890916a9b8b41954d2deaae281f2e3a5a797d1adac8b93d2a7b

SHA512
65baf75a7f0006062d05b1471f7d66d6c8e63311b41fed63c3030e719d13a20287296380aee45668a18dfbb7d6a34261f3b33e2b0098b6f90fb31a8201dc61fa

Download Submit
\Program Files (x86)\360\Total Security\QHSafeMain.exe

Filesize
4.9MB

MD5
23de0575cc6db3b843ed86765fc315d3

SHA1
f8495e703dc1da0464358a8a109c3f7524f148e6

SHA256
8bf27f702cafe890916a9b8b41954d2deaae281f2e3a5a797d1adac8b93d2a7b

SHA512
65baf75a7f0006062d05b1471f7d66d6c8e63311b41fed63c3030e719d13a20287296380aee45668a18dfbb7d6a34261f3b33e2b0098b6f90fb31a8201dc61fa

Download Submit
\Program Files (x86)\360\Total Security\QHSafeMain.exe

Filesize
4.9MB

MD5
23de0575cc6db3b843ed86765fc315d3

SHA1
f8495e703dc1da0464358a8a109c3f7524f148e6

SHA256
8bf27f702cafe890916a9b8b41954d2deaae281f2e3a5a797d1adac8b93d2a7b

SHA512
65baf75a7f0006062d05b1471f7d66d6c8e63311b41fed63c3030e719d13a20287296380aee45668a18dfbb7d6a34261f3b33e2b0098b6f90fb31a8201dc61fa

Download Submit
\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe

Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
\Program Files (x86)\360\Total Security\deepscan\BAPI.dll

Filesize
251KB

MD5
27a0b5e6e7f3fe42e272c6c4d7ebccc1

SHA1
aa7f3d9b3eca5419f098afbd049b407791843b71

SHA256
cf10bc33555da5a334b1fd77de9a215eb6e2880a3b7c6b27f46492c32ed374a7

SHA512
07d229ddb28fefabc7310e73ac653818084500966f77afa1ad55c3fa9ed47fa28ec99fff731d0edf39e3d5a97e116086619c3bc9a9be68bc1d5071970ecb10de

Download Submit
\Program Files (x86)\360\Total Security\deepscan\BAPIDRV64.sys

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Program Files (x86)\360\Total Security\deepscan\BAPIDRV64.sys

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Program Files (x86)\360\Total Security\deepscan\BAPIDRV64.sys

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Program Files (x86)\360\Total Security\deepscan\BAPIDRV64.sys

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Program Files (x86)\360\Total Security\deepscan\qutmload.dll

Filesize
111KB

MD5
b2fd7b345d3683210a2a465a886ddb9e

SHA1
2aa774cbae5c9460945ffb850b990d3159c091f6

SHA256
eed8df7dc1f0e59b367cf49aa53c91f05953d0164f2d0900ab8ec738a413e5e1

SHA512
62e29140ae56b9aaa1872a070ef343e085802fc9dd46245456326a67288d452e81d986672ea30d232c9241011412af728672d6b6844b481037f448e8c180cf4c

Download Submit
\Program Files (x86)\360\Total Security\filemon\360AvFlt.dll

Filesize
53KB

MD5
da5e35c6395a34acaa5a0eb9b71ff85a

SHA1
5da7e723aaa5859ab8f227455d80d8afa7696e22

SHA256
5e11c25e4d6e146c5e10fcbc21b2cdb5e97ec47f25c416e5d263985f3d964172

SHA512
49660339594abff9b0590bc3f401634a514834cf98fa8715b05a57a3cea575d74859681984d8c2c601d5fe947701f8f110450fac764a5d32096e24d7eadcdd2c

Download Submit
\Program Files (x86)\360\Total Security\filemon\AVCheck.dll

Filesize
321KB

MD5
0fc2f13d9e0cfbd4903a77051348d16a

SHA1
c1df2fe56cbd15271020e48751c39ab482f6eaca

SHA256
7b79ca1ec9ea05d6549218af8c646f8cb25c563e66d810ca8890340066cff72b

SHA512
6977514116a2fa2c0a884b46975cfa048d966448e493c1415467d6be8719c6b40db0181a861f9e0ef53aa90a3b04012e02e6aecb70230745c487355170416efc

Download Submit
\Program Files (x86)\360\Total Security\ipc\360Box.dll

Filesize
50KB

MD5
f398c9c333589ed57bb5a99eb2d32d13

SHA1
1fcac85e06506f332cae1d29451abe6808d8d39b

SHA256
1587d34c58ff2376384a0f3b279248d080724809eaf5f251cc2dda7896f04602

SHA512
0282f9ab1084fe093e097b6c33adfe2de59d4ed3a9eae12698df7295498ba56d4e8250a130af9f7284cd962691340246a15b3d32e9bf1df22ddd128f44d1205c

Download Submit
\Program Files (x86)\360\Total Security\ipc\360boxmain.exe

Filesize
923KB

MD5
209ee3f2b59730ba6e1413c3e0c6ee09

SHA1
de702e0f1571fdc0e9c31dd289572c6d5fd688ad

SHA256
0352b4b7908255b9487e3581a521152b7a0ab62e428f13186d23bf41c3e3941f

SHA512
9ee6d26909d620d4776355d5f6390a79b0420ebe5263322c294047b628410d8338407768ced6f6cdd0b7b38ca890f3c6315c3d659fdd8975a0cc3f0a279ff854

Download Submit
\Program Files (x86)\360\Total Security\ipc\360hvm.dll

Filesize
23KB

MD5
e540bc23b3f5934dee4d7b7b39fc3ac2

SHA1
465f0b0e4fe49b81a43980dd0cf40e068e98abed

SHA256
e794c636a50b5f51e0bd233c59c9144277a94792d3537460123a39c583d01421

SHA512
39412ddea1f7b16ae1b6d89db7f7c24b92b1b310f3d9191ab82bfa01283044d3c4e991a5fd4efee98d00c1e65d76328bd396138e5dfc90f44ed49ed605f8e764

Download Submit
\Program Files (x86)\360\Total Security\ipc\360hvm64.sys

Filesize
330KB

MD5
f93fa692aa3658422997643f51c1b7d8

SHA1
d00ddf850a7f937d1a75c401227a70fd80718171

SHA256
3c9da5ab28427405bf1099c1e7c3e77683c658c0c7c5fc458f606f368e7c6fc6

SHA512
b30b87b49f0155f2e310730a71e39de041b74d2aab53215089fc61be700854d5576c540eca34da774c358fd89e516204be14519576e2946a05b1f90318659745

Download Submit
\Program Files (x86)\360\Total Security\ipc\360hvm64.sys

Filesize
330KB

MD5
f93fa692aa3658422997643f51c1b7d8

SHA1
d00ddf850a7f937d1a75c401227a70fd80718171

SHA256
3c9da5ab28427405bf1099c1e7c3e77683c658c0c7c5fc458f606f368e7c6fc6

SHA512
b30b87b49f0155f2e310730a71e39de041b74d2aab53215089fc61be700854d5576c540eca34da774c358fd89e516204be14519576e2946a05b1f90318659745

Download Submit
\Program Files (x86)\360\Total Security\ipc\DrvUtility.dll

Filesize
171KB

MD5
bc8917f469a0e356c015ad6a31acc134

SHA1
a2e0fbcff53018ed92754065beb0a16e35339cf3

SHA256
4f798cf1e27dd355709c4ebe11a24b17ee832b4051f8952d9ae12942e0ccc5a9

SHA512
f9039ea609c18174dd76f5a89b6af4908573fe194cfaf412430c755da0626dce7b92f668e5cac6b195c91f17cc4eaf4ddb963b95bc6de7483c05436f7f4f59c8

Download Submit
\Program Files (x86)\360\Total Security\ipc\X64For32Lib.dll

Filesize
59KB

MD5
bdce31fc701c9aa16ca392a561ba102d

SHA1
58bbdeb96e7819b00d60f0e6580dfc455774a9f7

SHA256
3305ad2718c9bb9bd1db19cde17a184e0d7e497ff3930050c74875bc50f9690b

SHA512
2a16cc0a0bf718f661a3abe8f36b87c8b13716d5bdaa4c2768840734321f879de3d60255b67b2b858eabd627cf4302d7be0a29648bb65bedbfb5f838c9b96863

Download Submit
\Program Files (x86)\360\Total Security\ipc\sbmon.dll

Filesize
366KB

MD5
c0805da6b17d760418fd2fd031880934

SHA1
f9cf240f7bd4dbd31bc57913ab6517f0dc17d7a5

SHA256
edf443a3751d042fe16b8b11b484357a1b4702310bb50fb7aba9d68725803612

SHA512
f1c458ac3c1eb6ec67b4b0c54aaef09258e41ad4fbd3cd429da3bde278dba09c2419a79625aa39bb231ef277f803cf5ea568c82eaf028cd7a23a6a2fe74306ae

Download Submit
\Program Files (x86)\360\Total Security\netmon\360netctrl.dll

Filesize
382KB

MD5
30c9d5470142edf4d69b00aff040f822

SHA1
7c21ed33749b58c10ad7e1d95c922244eec62fcf

SHA256
b76103ff3d6faa46537d3db213270a086ae3b5b58fe6841b03cd5f9f73c54247

SHA512
c385b70414823107903fc1eec608b064360337114dc8a6d307f2caad9ec5ec7e53a2850f26b5374deaa97b2c727206f08a0a2037d12550e6449632d165b03b7f

Download Submit
\Program Files (x86)\360\Total Security\netmon\netmstart.dll

Filesize
169KB

MD5
b1f70f9be9df8bb186c5bc5159690a1f

SHA1
0c9347ac3245cdeb8dcea9b3edf01fe4cfd33fe2

SHA256
ce993f7583b1f253c6d82027b89fd867390ea1563564da75684d293539edc6a2

SHA512
188419d1cbc4f1b1bec99bf77f716bb004a0228d3d36eca9d2e479735efae8970dff62f5df42f01e8174173537f0d68ae37b9d5b70b0698b52f50ee0aacc5231

Download Submit
\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe

Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
\Users\Admin\AppData\Local\Temp\1675211413_00000000_base\360base.dll

Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
\Users\Admin\AppData\Local\Temp\1675211416_00000000_base\360base.dll

Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
\Users\Admin\AppData\Local\Temp\360_install_20230201003016_7152427\7z.dll

Filesize
1.1MB

MD5
e74067bfda81cd82fe3a5fc2fdb87e2b

SHA1
de961204751d9af1bab9c2a9ba16edc7a4ae7388

SHA256
898bf5db34d9997b3d90b87091f34ae4e3e9cf34b6f2ae7fb8fd86e8a1bb684e

SHA512
c0b1d851d97df2635b865d7f0a252881eef622363e08190e1f45ec308fdbd81f94ece53a6c2b1b36c38fcb82c2b8262f31a936a399cee567631b9146cf3ef60a

Download Submit
\Users\Admin\AppData\Local\Temp\{D406F0CA-FA26-49f4-A573-8FF0E74CA7AF}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
\Windows\System32\drivers\BAPIDRV64.SYS

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Windows\System32\drivers\BAPIDRV64.SYS

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Windows\System32\drivers\BAPIDRV64.SYS

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
\Windows\System32\drivers\BAPIDRV64.SYS

Filesize
223KB

MD5
92250774eb2f9dd1316fc5dca5a1d375

SHA1
df62deaf0a9eacdd74b6ab1c03767a4cb7af9221

SHA256
6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a

SHA512
bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1

Download Submit
memory/268-127-0x0000000000000000-mapping.dmp

Download
memory/268-129-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/760-126-0x0000000000000000-mapping.dmp

Download
memory/936-116-0x0000000000000000-mapping.dmp

Download
memory/1088-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1668-60-0x0000000000000000-mapping.dmp

Download
memory/2008-66-0x0000000000000000-mapping.dmp

Download
memory/2028-119-0x0000000000000000-mapping.dmp

Download