3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.5MB
MD5

858ee6ceb590822f57d2d98a32e3c5af
SHA1

0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
SHA256

3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
SHA512

ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
SSDEEP

24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew

Score

10^/10

bootkit discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

616 bcdedit.exe
3692 bcdedit.exe
Downloads MZ/PE file

pid	process
616	bcdedit.exe
3692	bcdedit.exe

Drops file in Drivers directory 10 IoCs

Processes:

360TS_Setup.exeQHActiveDefense.exeEaInstHelper64.exe

description	ioc	process
File created	C:\Windows\system32\drivers\360netmon.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360Box64.sys	360TS_Setup.exe
File opened for modification	C:\Windows\system32\drivers\360FsFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360FsFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360Camera64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360AvFlt.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\BAPIDRV64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360AntiHacker64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360elam64.sys	EaInstHelper64.exe
File opened for modification	C:\Windows\system32\drivers\360elam64.sys	EaInstHelper64.exe

Executes dropped EXE 10 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exeWscReg.exePowerSaver.exeWscReg.exeWscReg.exeEaInstHelper64.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exe

pid	process
3880	360TS_Setup.exe
3532	360TS_Setup.exe
4460	WscReg.exe
4028	PowerSaver.exe
3380	WscReg.exe
4148	WscReg.exe
4176	EaInstHelper64.exe
4976	QHActiveDefense.exe
3272	QHActiveDefense.exe
936	QHSafeTray.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Sets service image path in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QHActiveDefense.exe360TS_Setup.exeEaInstHelper64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AntiHacker\ImagePath = "System32\\Drivers\\360AntiHacker64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BAPIDRV\ImagePath = "system32\\DRIVERS\\BAPIDRV64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHProtected\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\WscReg.exe\""	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys"	EaInstHelper64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Loads dropped DLL 64 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exeregsvr32.exePowerSaver.exeWscReg.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exe

pid	process
4936	360TS_Setup_Mini.exe
3880	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
4756	regsvr32.exe
1308	regsvr32.exe
4028	PowerSaver.exe
4148	WscReg.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
4976	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
936	QHSafeTray.exe
936	QHSafeTray.exe
3272	QHActiveDefense.exe
936	QHSafeTray.exe
3272	QHActiveDefense.exe
936	QHSafeTray.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
936	QHSafeTray.exe
3272	QHActiveDefense.exe
936	QHSafeTray.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 54.255.193.226
Destination IP 54.255.193.226
Destination IP 54.255.193.226
Destination IP 54.255.193.226

description	ioc
Destination IP	54.255.193.226
Destination IP	54.255.193.226
Destination IP	54.255.193.226
Destination IP	54.255.193.226

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

360TS_Setup.exeQHActiveDefense.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start"	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start"	QHActiveDefense.exe

Checks for any installed AV software in registry 1 TTPs 28 IoCs

Security Software Discovery

T1063

Processes:

360TS_Setup.exeQHActiveDefense.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName = "LocalSystem"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Alias	QHActiveDefense.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start = "2"	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName = "360 Total Security"	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl = "1"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group = "TDI"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type = "16"	360TS_Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

360TS_Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	360TS_Setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

QHActiveDefense.exeQHSafeTray.exe360TS_Setup_Mini.exe360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QHActiveDefense.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\safemon\drvmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\dynlbase.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\DrvUtility.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\DumpUper.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\deepscan\dsr.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\360AntiHacker.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\AntiAdwa.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\ramengine.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Utils\cef\2623\icudtl.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\safemon\spsafe64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\libvi.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\safemon\safemon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\safemon\spsafe64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\deepscan\DsRes64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\safemon\wd.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\safemon\bp.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\qex\qex.vdb.enc	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\ipc\Sxin.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\newui\themes\default\DesktopPlus\DesktopPlus_theme.ui	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\DsArk.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\spsafe64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\360Central.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Utils\360DrvMgr\360LibDrvmgr.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\safemon\SelfProtectAPI2.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\ipc\Sxin.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\tr\ipc\yhregd.dll.locale	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\360\Total Security\i18n\i18n.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\lang\vi\SysSweeper.ui.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\safemon\360procmon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\DailyNews.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\safemon\safemon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\drvmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\sweeper\Tracehelper.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\deepscan\cloudsec3.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\TraceClean.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\ipc\360ipc.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\backupsrv.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\safemon\drvmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\safemon\spsafe.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\libdefa.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\360DeskAna.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\FirstPrioritySupport.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\dsr.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\safemon\360SPTool.exe.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\sweeper\CleanHelper64.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18ngi.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\QuickSearch.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\wdblockij.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\safemon\Safemon64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\netmon\netdrv\x64\360netmon_x64.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\safemon\bp.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\ipc\filemgr.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\safemon\Safemon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\360AntiHacker64_win10.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\safemon\wdk.ini	360TS_Setup.exe

Drops file in Windows directory 2 IoCs

Processes:

EaInstHelper64.exe

description	ioc	process
File opened for modification	C:\Windows\ELAMBKUP	EaInstHelper64.exe
File created	C:\Windows\ELAMBKUP\360elam64.sys	EaInstHelper64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	360TS_Setup.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

QHActiveDefense.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe\360Scan\NetProbe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe	QHActiveDefense.exe

Modifies registry class 54 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\ = "MenuEx 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID\ = "MenuEx.SD360MN"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\ = "SD360MN Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID\ = "MenuEx.SD360MN.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ = "SD360MN Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\ = "SD360MN Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer\ = "MenuEx.SD360MN.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\360\\Total Security"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN"	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PowerSaver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB	PowerSaver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB\Blob = 5c000000010000000400000000100000030000000100000014000000f8db7e1c16f1ffd4aaad4aad8dff0f2445184aeb190000000100000010000000fdf830131f605511d717ae8f24143eea1400000001000000140000008570009f77591e8cac3c9f77262819cc9ac18f320f0000000100000020000000ed55f82e1444f79ca9dce826846fdc4e0ea3859e3d26efef412d2fff0c7c8e6c040000000100000010000000e0e22b8b045e62f1b233ee948b8f091520000000010000000906000030820605308203eda0030201020210078f0a9d03df119e434e4fec1bf0235a300d06092a864886f70d01010b0500308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f726974792032303134301e170d3134303532383136343334365a170d3339303532383136353134385a308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f72697479203230313430820222300d06092a864886f70d01010105000382020f003082020a0282020100c20f7f6d49bb39f04d943fe8fb4dc5eb3be1285ab9892a467ea5c333271d82893feb33a1876aeae882b9dac39d77d135c0cb833672a6571912bc15e2c83c7b83623414d5abb6de368ba15a71a65196a70633b3221d146253c2a5af9a40cabe2c485499e72a9368a769190b99693bc1b2acae94dc5fab7e02cade3ca774a68c10a0e5aeb69c35ef838b10e5972aba916b9a6a4595d9d054718e653fc48a53ca1e38470ae9d04184a5da1e66016504e6505b7735f5b42e29320cc6bf5f61ee3220b77c39f911faff605efec669f46f1e1ded1d06e7651e9a112e6344065f31431733e9a32682d44b83124fd2a126032548e13abd84f58ad5b46e1ae871200e45530167ade31e6be8b2e4abfdf53b8eba67af5984cc5c75d09daa5c72c42636a2ac324c6ab1f8331744d2a77d70eeeb70949abceaba1c104b635b38ddd2254504b2f0b35a7c0b0a8e21406437114d96694533e493839ef9b3b51c2b0571ea6dcce748b6b6de805010ca4938b35905704ebd9e880222586489eb40dab12d2d6a40885d23c33ed0f5d5b7908a28543962a2c5c6b1bf74cd8695f9456bccf207eaac5cd336f7a27ab5b472532a063ec337945858b14a71bb5ccd9cb2af109ad943363e528519e7422891118c8ce7bbdfe6c855087375f3960d86b7d2e506b2c08a54a86177207d6cd1feba68f3454aaf1184eb867d2f04f354ea20ffd5db3d250270870203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604148570009f77591e8cac3c9f77262819cc9ac18f32301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201004f2574bd1f624f5f0ff74222d7d1d65304232ec5d5d7072b6b793b5f6d90ed1355d382f1f5028f3ef996267e0d421876fc6055825a86bd113339690fcee0b02bf15d19dfd8d2fa86a4cccdacf0d0ae9a8b2b248f03c1350d20b3dfc742ea77292e0a12fc0b1a458dd931840d8d02c0acfad212bf1e6a343eea8300a348754e72662da1a5129f37a85d4a7759cfd63afc30c5a609a5bfb108e3fb2c9f76c4fb4e611d6d23f3766985eb49bb0df73dd0aa05bcdd3d6e80445ed99a68ecc989c7e61a18f860a0e78cf6e6516f0ee025b863f9f9c20b8c3c9cb2f042cdbec3f5fe4929559c5e8696fba1ed6d2686e8b8208b5cc6e72d31c5aaca7d4b7da059a41efb5071e9afcfd6aa0d99de8e95269731a5f47f6df46815b8e3f7add8efd13875025ffd6d4efcb6fc2f451ba9cad11e7aff75181536c120e45f483a95eb7be4f5f6f4fec94b21a2a9ea8a9925cbe8444090d539b46b239b52bcc0c17e17666e650bf5741596a866ed856854b224e87588644589853c7a656b96e0f259ea4725660f6a1b0c3fd44ae64b26174709fed4d7b8e0cee72f94ad808b6770ccb77bcf1b2bb9d15bbdb8035cb1f01b412ce6535516e74a0e41089937e2a9d76d0e6a45e5ece388a9fdb69bc32820ceabc2936b516553bfa05e7b9d26349a514c8ca638d5865b3c55ee50ec000bcaacdcca10abdf189bd2ac0c8d084515af8535355ae526bc	PowerSaver.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

WscReg.exe360TS_Setup.exeEaInstHelper64.exeQHActiveDefense.exe

pid	process
4460	WscReg.exe
4460	WscReg.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
4176	EaInstHelper64.exe
4176	EaInstHelper64.exe
3532	360TS_Setup.exe
3532	360TS_Setup.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe

Suspicious behavior: LoadsDriver 12 IoCs

Processes:

360TS_Setup.exeQHActiveDefense.exe

pid	process
644
644
3532	360TS_Setup.exe
3532	360TS_Setup.exe
644
644
644
644
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe
3272	QHActiveDefense.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exeQHActiveDefense.exeQHActiveDefense.exe

description	pid	process
Token: SeManageVolumePrivilege	4936	360TS_Setup_Mini.exe
Token: SeLoadDriverPrivilege	3532	360TS_Setup.exe
Token: SeLoadDriverPrivilege	3532	360TS_Setup.exe
Token: SeDebugPrivilege	3532	360TS_Setup.exe
Token: SeDebugPrivilege	3532	360TS_Setup.exe
Token: SeDebugPrivilege	4976	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	3272	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	3272	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	3272	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	3272	QHActiveDefense.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

4936 360TS_Setup_Mini.exe
4936 360TS_Setup_Mini.exe
4936 360TS_Setup_Mini.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

4936 360TS_Setup_Mini.exe
4936 360TS_Setup_Mini.exe
4936 360TS_Setup_Mini.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exeWscReg.exeWscReg.exeQHActiveDefense.exe

pid process

3880 360TS_Setup.exe
3532 360TS_Setup.exe
4460 WscReg.exe
3380 WscReg.exe
4976 QHActiveDefense.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exeWscReg.exeQHActiveDefense.exe

description	pid	process	target process
PID 4936 wrote to memory of 3880	4936	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4936 wrote to memory of 3880	4936	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4936 wrote to memory of 3880	4936	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 3880 wrote to memory of 3532	3880	360TS_Setup.exe	360TS_Setup.exe
PID 3880 wrote to memory of 3532	3880	360TS_Setup.exe	360TS_Setup.exe
PID 3880 wrote to memory of 3532	3880	360TS_Setup.exe	360TS_Setup.exe
PID 3532 wrote to memory of 4460	3532	360TS_Setup.exe	WscReg.exe
PID 3532 wrote to memory of 4460	3532	360TS_Setup.exe	WscReg.exe
PID 3532 wrote to memory of 4460	3532	360TS_Setup.exe	WscReg.exe
PID 3532 wrote to memory of 616	3532	360TS_Setup.exe	bcdedit.exe
PID 3532 wrote to memory of 616	3532	360TS_Setup.exe	bcdedit.exe
PID 3532 wrote to memory of 3692	3532	360TS_Setup.exe	bcdedit.exe
PID 3532 wrote to memory of 3692	3532	360TS_Setup.exe	bcdedit.exe
PID 3532 wrote to memory of 4756	3532	360TS_Setup.exe	regsvr32.exe
PID 3532 wrote to memory of 4756	3532	360TS_Setup.exe	regsvr32.exe
PID 3532 wrote to memory of 4756	3532	360TS_Setup.exe	regsvr32.exe
PID 4756 wrote to memory of 1308	4756	regsvr32.exe	regsvr32.exe
PID 4756 wrote to memory of 1308	4756	regsvr32.exe	regsvr32.exe
PID 3532 wrote to memory of 4028	3532	360TS_Setup.exe	PowerSaver.exe
PID 3532 wrote to memory of 4028	3532	360TS_Setup.exe	PowerSaver.exe
PID 3532 wrote to memory of 4028	3532	360TS_Setup.exe	PowerSaver.exe
PID 3532 wrote to memory of 3380	3532	360TS_Setup.exe	WscReg.exe
PID 3532 wrote to memory of 3380	3532	360TS_Setup.exe	WscReg.exe
PID 3532 wrote to memory of 3380	3532	360TS_Setup.exe	WscReg.exe
PID 4148 wrote to memory of 4176	4148	WscReg.exe	EaInstHelper64.exe
PID 4148 wrote to memory of 4176	4148	WscReg.exe	EaInstHelper64.exe
PID 3532 wrote to memory of 4976	3532	360TS_Setup.exe	QHActiveDefense.exe
PID 3532 wrote to memory of 4976	3532	360TS_Setup.exe	QHActiveDefense.exe
PID 3532 wrote to memory of 4976	3532	360TS_Setup.exe	QHActiveDefense.exe
PID 3272 wrote to memory of 936	3272	QHActiveDefense.exe	QHSafeTray.exe
PID 3272 wrote to memory of 936	3272	QHActiveDefense.exe	QHSafeTray.exe
PID 3272 wrote to memory of 936	3272	QHActiveDefense.exe	QHSafeTray.exe

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880

C:\Program Files (x86)\1675140462_0\360TS_Setup.exe
"C:\Program Files (x86)\1675140462_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\1675140507_00000000_wscreg\WscReg.exe
/regas:1_1
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set {bootmgr} flightsigning on
4⤵
- Modifies boot configuration data using bcdedit
PID:616

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set flightsigning on
4⤵
- Modifies boot configuration data using bcdedit
PID:3692

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
5⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1308

C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:4028

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe" /installsrv
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"
4⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
5⤵
PID:4212

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4148

C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe
"C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe" /Install_run
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
/showtrayicon
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:936

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install
3⤵
PID:972

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1
3⤵
PID:2592

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /ExShowTrayIcon
4⤵
PID:3636

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /ExShowTrayIcon
3⤵
PID:3340

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"
3⤵
PID:672

C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe
"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe"
3⤵
PID:2712

C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe
"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe" /lowrun
4⤵
PID:2404

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch
2⤵
PID:3292

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"
2⤵
PID:4836

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\bdfltlib.dll"
2⤵
PID:920

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"
2⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1675140462_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\1675140462_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360NetBase.dll
Filesize
1.4MB

MD5
14c6b4bbd31f6fd13530bc941cc71d1a

SHA1
ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

SHA256
401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

SHA512
c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

Download Submit
C:\Program Files (x86)\360\Total Security\360TSCommon.dll
Filesize
483KB

MD5
fd9ec3f6ae3ec4e72c7d8adb9d977480

SHA1
304b83eb514354a86c9b136ac32badcec616fed8

SHA256
deddae3c60a724e167107cda7d4ad0481d8ab451f61081eff7730d0f114da918

SHA512
22a47674c2000c175594e8b9f95d23665481a2f2c84f8870a4ad58095aa107b9a0ba61a5315ebdfcd1ec6a4b3031bb3e21ee6e2624d57daae20c587592cce5fd

Download Submit
C:\Program Files (x86)\360\Total Security\CrashReport.dll
Filesize
170KB

MD5
94a08d898c2029877e752203a477d22f

SHA1
d8a4c261b94319b4707ee201878658424e554f36

SHA256
07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169

SHA512
79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6

Download Submit
C:\Program Files (x86)\360\Total Security\CrashReport.dll
Filesize
170KB

MD5
94a08d898c2029877e752203a477d22f

SHA1
d8a4c261b94319b4707ee201878658424e554f36

SHA256
07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169

SHA512
79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6

Download Submit
C:\Program Files (x86)\360\Total Security\I18N.dll
Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\I18N.dll
Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll
Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll
Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll
Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\QHVer.dll
Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe
Filesize
146KB

MD5
bebc39160a8446ec0e9693f5da3e8380

SHA1
9c4a2817429159eb4357ead9fca2d07d9d7c3f21

SHA256
ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56

SHA512
67281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Program Files (x86)\360\Total Security\config.ini
Filesize
146B

MD5
259b45ba3e50c2921cbe47da65d08651

SHA1
e694804d77e49bdf69943501fab96533e281b653

SHA256
6228e04578135ea2b289038dbb9cd3e854626ddcc77905c955783f505d67511c

SHA512
9d4cb718772dd4131ce937ed72a634cf06798b7f5363e93d711228aea01454fb6ae50071d79023897993d2891fa7f3654b781eafd15389fd53de88ab4c1bcab2

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\360FsFlt_win10.sys
Filesize
527KB

MD5
0e91072224732381b04b5b7001cce459

SHA1
5d1c1ed761d99d7356641672bc38e4efb74ecafc

SHA256
726a10a2f2e03bd5d85ba58d877606c42338245f7471aed88442dffd807605b1

SHA512
5f453a45d7a2ab3e10898ab6d17526864c6ee8217f0825092a5a5288089cd310e0a33eb93c1b828987f5977229bfe8e0f39180050a47b26b6c24624b4cb0957a

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\BAPI.dll
Filesize
251KB

MD5
27a0b5e6e7f3fe42e272c6c4d7ebccc1

SHA1
aa7f3d9b3eca5419f098afbd049b407791843b71

SHA256
cf10bc33555da5a334b1fd77de9a215eb6e2880a3b7c6b27f46492c32ed374a7

SHA512
07d229ddb28fefabc7310e73ac653818084500966f77afa1ad55c3fa9ed47fa28ec99fff731d0edf39e3d5a97e116086619c3bc9a9be68bc1d5071970ecb10de

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\qutmload.dll
Filesize
111KB

MD5
b2fd7b345d3683210a2a465a886ddb9e

SHA1
2aa774cbae5c9460945ffb850b990d3159c091f6

SHA256
eed8df7dc1f0e59b367cf49aa53c91f05953d0164f2d0900ab8ec738a413e5e1

SHA512
62e29140ae56b9aaa1872a070ef343e085802fc9dd46245456326a67288d452e81d986672ea30d232c9241011412af728672d6b6844b481037f448e8c180cf4c

Download Submit
C:\Program Files (x86)\360\Total Security\filemon\360AvFlt.dll
Filesize
53KB

MD5
da5e35c6395a34acaa5a0eb9b71ff85a

SHA1
5da7e723aaa5859ab8f227455d80d8afa7696e22

SHA256
5e11c25e4d6e146c5e10fcbc21b2cdb5e97ec47f25c416e5d263985f3d964172

SHA512
49660339594abff9b0590bc3f401634a514834cf98fa8715b05a57a3cea575d74859681984d8c2c601d5fe947701f8f110450fac764a5d32096e24d7eadcdd2c

Download Submit
C:\Program Files (x86)\360\Total Security\filemon\AVCheck.dll
Filesize
321KB

MD5
0fc2f13d9e0cfbd4903a77051348d16a

SHA1
c1df2fe56cbd15271020e48751c39ab482f6eaca

SHA256
7b79ca1ec9ea05d6549218af8c646f8cb25c563e66d810ca8890340066cff72b

SHA512
6977514116a2fa2c0a884b46975cfa048d966448e493c1415467d6be8719c6b40db0181a861f9e0ef53aa90a3b04012e02e6aecb70230745c487355170416efc

Download Submit
C:\Program Files (x86)\360\Total Security\i18n.dll
Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\en\UrlSettings.dll.locale
Filesize
22KB

MD5
627cbb9d1671cd7a553cb9e59e765bbf

SHA1
4a4916f14c4ca7d26dac88ff4a5884761d8c5a70

SHA256
063e660b1e32cbaefb8b928f1fa638853bbcb6b996bb08496fc861fc5425a840

SHA512
cfe0246353d9670ac7d77994633e8c55aca4a3ecc889c52d09949e427d5e5e06056678de15ecc3017af81ca6ca1333f624f8652a7488dd4e317c6a46c8719237

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\en\safemon\360procmon.dll.locale
Filesize
106KB

MD5
7bdac7623fb140e69d7a572859a06457

SHA1
e094b2fe3418d43179a475e948a4712b63dec75b

SHA256
51475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd

SHA512
fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\i18n.ini
Filesize
246B

MD5
dfc82f7a034959dac18c530c1200b62c

SHA1
9dd98389b8fd252124d7eaba9909652a1c164302

SHA256
f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919

SHA512
0acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\360Box.dll
Filesize
50KB

MD5
f398c9c333589ed57bb5a99eb2d32d13

SHA1
1fcac85e06506f332cae1d29451abe6808d8d39b

SHA256
1587d34c58ff2376384a0f3b279248d080724809eaf5f251cc2dda7896f04602

SHA512
0282f9ab1084fe093e097b6c33adfe2de59d4ed3a9eae12698df7295498ba56d4e8250a130af9f7284cd962691340246a15b3d32e9bf1df22ddd128f44d1205c

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\360hvm.dll
Filesize
23KB

MD5
e540bc23b3f5934dee4d7b7b39fc3ac2

SHA1
465f0b0e4fe49b81a43980dd0cf40e068e98abed

SHA256
e794c636a50b5f51e0bd233c59c9144277a94792d3537460123a39c583d01421

SHA512
39412ddea1f7b16ae1b6d89db7f7c24b92b1b310f3d9191ab82bfa01283044d3c4e991a5fd4efee98d00c1e65d76328bd396138e5dfc90f44ed49ed605f8e764

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\DrvUtility.dll
Filesize
171KB

MD5
bc8917f469a0e356c015ad6a31acc134

SHA1
a2e0fbcff53018ed92754065beb0a16e35339cf3

SHA256
4f798cf1e27dd355709c4ebe11a24b17ee832b4051f8952d9ae12942e0ccc5a9

SHA512
f9039ea609c18174dd76f5a89b6af4908573fe194cfaf412430c755da0626dce7b92f668e5cac6b195c91f17cc4eaf4ddb963b95bc6de7483c05436f7f4f59c8

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\X64For32Lib.dll
Filesize
59KB

MD5
bdce31fc701c9aa16ca392a561ba102d

SHA1
58bbdeb96e7819b00d60f0e6580dfc455774a9f7

SHA256
3305ad2718c9bb9bd1db19cde17a184e0d7e497ff3930050c74875bc50f9690b

SHA512
2a16cc0a0bf718f661a3abe8f36b87c8b13716d5bdaa4c2768840734321f879de3d60255b67b2b858eabd627cf4302d7be0a29648bb65bedbfb5f838c9b96863

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\sbmon.dll
Filesize
366KB

MD5
c0805da6b17d760418fd2fd031880934

SHA1
f9cf240f7bd4dbd31bc57913ab6517f0dc17d7a5

SHA256
edf443a3751d042fe16b8b11b484357a1b4702310bb50fb7aba9d68725803612

SHA512
f1c458ac3c1eb6ec67b4b0c54aaef09258e41ad4fbd3cd429da3bde278dba09c2419a79625aa39bb231ef277f803cf5ea568c82eaf028cd7a23a6a2fe74306ae

Download Submit
C:\Program Files (x86)\360\Total Security\netmon\360netctrl.dll
Filesize
382KB

MD5
30c9d5470142edf4d69b00aff040f822

SHA1
7c21ed33749b58c10ad7e1d95c922244eec62fcf

SHA256
b76103ff3d6faa46537d3db213270a086ae3b5b58fe6841b03cd5f9f73c54247

SHA512
c385b70414823107903fc1eec608b064360337114dc8a6d307f2caad9ec5ec7e53a2850f26b5374deaa97b2c727206f08a0a2037d12550e6449632d165b03b7f

Download Submit
C:\Program Files (x86)\360\Total Security\netmon\netmstart.dll
Filesize
169KB

MD5
b1f70f9be9df8bb186c5bc5159690a1f

SHA1
0c9347ac3245cdeb8dcea9b3edf01fe4cfd33fe2

SHA256
ce993f7583b1f253c6d82027b89fd867390ea1563564da75684d293539edc6a2

SHA512
188419d1cbc4f1b1bec99bf77f716bb004a0228d3d36eca9d2e479735efae8970dff62f5df42f01e8174173537f0d68ae37b9d5b70b0698b52f50ee0aacc5231

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360HipsPopWnd.dll
Filesize
790KB

MD5
c77481cac4c9411aa1ead1de68c7798d

SHA1
f2288af2ee58e25de2a11da09589bb61e94ae5cb

SHA256
eb04cc2139f21f62107afaf03939c49515730cce4ed0f0e6d12199445b5f377a

SHA512
bbde3700933d5264ec024f866dc1c6b5d7e51d6368f3614aa95fbbe93fb9ee593e87f61e7f945d141d883d4d2a07c22114bb98e262f2afbccc7ec485cffde3cc

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360SPTool.exe
Filesize
165KB

MD5
259affe7b271b29d4b04d678c94bc776

SHA1
073f326b4ce111ace97df011f8ffb78bbefcdbd2

SHA256
92d35442715cb9c7dee115e146daa72bbb5c408ae03bb6bb5b6f834ff1867444

SHA512
e042c2ecb0f2f53a2d1555799d30aff474dfeea01033761f7f9298fa5575f5c23db5819bd850209c1b916ba3d7bd8f32a31c8b81ab9ac65a0d0a27be353aeb63

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll
Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll
Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll
Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\softmgr\360elam64.sys
Filesize
16KB

MD5
67e72ee5dcd6e2c69d9c1f457fd0e3c9

SHA1
1da65ca2fd47f10ec7eac55fdb5bfce19bb90de3

SHA256
7f3f8cde5989c7339f4862dd44ecd827fbf06d0ae6152c17907e27e822e0bf82

SHA512
d715cc1761a025e0df4296a4c37c4e799c6006dce6bf63215f9864cf853cc5f7917fd24baa1cac775e8b74005eebb6fc42b211876bf386af0062364c6ee2fd77

Download Submit
C:\Program Files (x86)\360\Total Security\softmgr\EaInstHelper64.exe
Filesize
146KB

MD5
bebc39160a8446ec0e9693f5da3e8380

SHA1
9c4a2817429159eb4357ead9fca2d07d9d7c3f21

SHA256
ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56

SHA512
67281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
2KB

MD5
e3f19580788ce1e1229aac360daf9537

SHA1
ca034b00c27080edb9f518d5f9da97e5a6c20767

SHA256
b2453e292bc9ff4371e4f657622fc9dc143672e5db0a5d878d1d9c3607678a86

SHA512
f440339ff9e80c5ec34fc3428491b0c8af18a228e83e42887f40562f522f414601dc76c5d70a0a264dfbd9c0db5a8607282949df2a44b3b75aca386efea22ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
9bf10855213d2d2b26123cd2a04220b8

SHA1
231d2ed3b9098617f196e89cee3c2a82b38b5d40

SHA256
a508e5bc0086119681076c2b05889d6f70047f971342d65792776ab7b53ca1e9

SHA512
df78a9f4ed0296f9a16d17672758411306e1b3664e9c6aece1ec738da350e2ee703f5c4f30167c4d5b54de8d154a7a4dc7250420c024e26063c8521a333e3dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
488B

MD5
f4333ddf9e2aba197d98910495d257c1

SHA1
bb12836f2953d23b44743994b1d34ccdebd7e59e

SHA256
11325343244267a682db4638082af434c5503440641d3dcbb544eed9f0b0092f

SHA512
181f18ea52763d9424c3228f9145f1f88f23ce568ee4eb76fef6013031cd1f22fd8814ba9438c7a84a4609aea9b91af4447ab5ec44bd40d854ac6a14e489390d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
5bcdd8aba4d30a89be0e8b324103d957

SHA1
93e6d0f3e0a5cc79260f1a6ee3ee196e7dad6154

SHA256
18c20d7bbcbc705e990ee738b1cf0103e56cb171fa7aa2f33b3233152b446cb4

SHA512
06b88797aeae7a08365b3d7921dd1771520882265d2d7863f88ef663c16ccf8d003b20377e4e5b1bd8765f0158021eaf4b4c70240a443cadaab0d8aacf0b48a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675140462_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675140483_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675140507_00000000_wscreg\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675140507_00000000_wscreg\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20230131044803_240636312\7z.dll
Filesize
1.1MB

MD5
e74067bfda81cd82fe3a5fc2fdb87e2b

SHA1
de961204751d9af1bab9c2a9ba16edc7a4ae7388

SHA256
898bf5db34d9997b3d90b87091f34ae4e3e9cf34b6f2ae7fb8fd86e8a1bb684e

SHA512
c0b1d851d97df2635b865d7f0a252881eef622363e08190e1f45ec308fdbd81f94ece53a6c2b1b36c38fcb82c2b8262f31a936a399cee567631b9146cf3ef60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6D2BE7A1-C2D8-42c3-A32F-F0238FA97FA0}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/616-152-0x0000000000000000-mapping.dmp

Download
memory/672-212-0x0000000000000000-mapping.dmp

Download
memory/920-224-0x0000000000000000-mapping.dmp

Download
memory/936-207-0x0000000000000000-mapping.dmp

Download
memory/972-208-0x0000000000000000-mapping.dmp

Download
memory/1308-172-0x0000000000000000-mapping.dmp

Download
memory/2404-217-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/2404-221-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-222-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-220-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-219-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/2404-218-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/2404-216-0x0000000000000000-mapping.dmp

Download
memory/2592-209-0x0000000000000000-mapping.dmp

Download
memory/2712-215-0x0000000000000000-mapping.dmp

Download
memory/3292-213-0x0000000000000000-mapping.dmp

Download
memory/3340-210-0x0000000000000000-mapping.dmp

Download
memory/3380-179-0x0000000000000000-mapping.dmp

Download
memory/3532-137-0x0000000000000000-mapping.dmp

Download
memory/3636-211-0x0000000000000000-mapping.dmp

Download
memory/3692-153-0x0000000000000000-mapping.dmp

Download
memory/3880-133-0x0000000000000000-mapping.dmp

Download
memory/4028-174-0x0000000000000000-mapping.dmp

Download
memory/4176-185-0x0000000000000000-mapping.dmp

Download
memory/4212-225-0x0000000000000000-mapping.dmp

Download
memory/4320-223-0x0000000000000000-mapping.dmp

Download
memory/4460-145-0x0000000000000000-mapping.dmp

Download
memory/4756-169-0x0000000000000000-mapping.dmp

Download
memory/4836-214-0x0000000000000000-mapping.dmp

Download
memory/4976-188-0x0000000000000000-mapping.dmp

Download