URL:

https://drive.google.com/file/d/1_wU0nKw7_E21-bmk61SEJ7O3ayoZNIQz/view?pli=1

Full analysis: https://app.any.run/tasks/f4987026-9dc8-4f4d-9a21-94f1356ea2ab
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 20, 2025, 12:19:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
java
stealer
loader
greyware
Indicators:
MD5:

D8D95489465FE27B89B31CAEF86BB8FE

SHA1:

812A4A3C02A91D83089D64E9DDB3D2EE4322A147

SHA256:

4FCECF0C7F1D99CDC75527F34E740F2022956E45A83F5881183F32EDED09D199

SSDEEP:

3:N8PMMtZJuloASBsnIoObMck4mI3M5:2ABUsnjObdk4S5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • irsetup.exe (PID: 7132)
      • 360TS_Setup.exe (PID: 8404)
      • regsvr32.exe (PID: 7476)
      • PowerSaver.exe (PID: 8568)
      • WscReg.exe (PID: 8812)
      • csrss.exe (PID: 608)
      • WscReg.exe (PID: 8800)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • QHActiveDefense.exe (PID: 7712)
      • csrss.exe (PID: 524)
      • QHSafeTray.exe (PID: 1244)
      • PopWndLog.exe (PID: 7488)
      • QHSafeTray.exe (PID: 5264)
      • PopWndLog.exe (PID: 7528)
      • regsvr32.exe (PID: 8536)
      • QHSafeTray.exe (PID: 2536)
      • KB931125-rootsupd.exe (PID: 188)
      • WscReg.exe (PID: 2876)
      • WscReg.exe (PID: 7428)
      • regsvr32.exe (PID: 8980)
      • regsvr32.exe (PID: 5904)

    • Changes the autorun value in the registry

      • 360TS_Setup.exe (PID: 8404)
      • QHActiveDefense.exe (PID: 7712)
      • KB931125-rootsupd.exe (PID: 188)

    • Executing a file with an untrusted certificate

      • PowerSaver.exe (PID: 8568)
      • EaInstHelper64.exe (PID: 2848)
      • QHWatchdog.exe (PID: 8128)
      • QHWatchdog.exe (PID: 4860)
      • KB931125-rootsupd.exe (PID: 188)
      • javaw.exe (PID: 3576)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 360TS_Setup.exe (PID: 8404)
      • QHSafeTray.exe (PID: 1244)
      • QHActiveDefense.exe (PID: 7712)

    • Application was injected by another process

      • explorer.exe (PID: 4772)

    • Runs injected code in another process

      • QHSafeTray.exe (PID: 1244)

  • SUSPICIOUS

    • Checks for Java to be installed

      • jre-8u461-windows-x64.exe (PID: 8132)
      • irsetup.exe (PID: 7132)
      • msiexec.exe (PID: 7360)
      • msiexec.exe (PID: 4580)
      • installer.exe (PID: 4512)
      • jp2launcher.exe (PID: 7988)
      • ssvagent.exe (PID: 2312)
      • TLauncher.exe (PID: 2384)
      • jp2launcher.exe (PID: 3704)
      • msiexec.exe (PID: 8352)
      • javaw.exe (PID: 8640)

    • Reads security settings of Internet Explorer

      • jre-8u461-windows-x64.exe (PID: 8132)
      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • irsetup.exe (PID: 7132)
      • BrowserInstaller.exe (PID: 4820)
      • irsetup.exe (PID: 7424)
      • 360-installer-bro.exe (PID: 1480)
      • installer.exe (PID: 4512)
      • javaw.exe (PID: 3148)
      • jp2launcher.exe (PID: 3704)
      • jp2launcher.exe (PID: 7988)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)
      • QHSafeTray.exe (PID: 1244)
      • PopWndLog.exe (PID: 7488)
      • PopWndLog.exe (PID: 7528)
      • QHActiveDefense.exe (PID: 7712)

    • Reads Microsoft Outlook installation path

      • jre-8u461-windows-x64.exe (PID: 8132)
      • irsetup.exe (PID: 7132)

    • Executable content was dropped or overwritten

      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • irsetup.exe (PID: 7132)
      • BrowserInstaller.exe (PID: 4820)
      • irsetup.exe (PID: 7424)
      • 360-installer-bro.exe (PID: 1480)
      • installer.exe (PID: 4512)
      • 360TS_Setup.exe (PID: 1660)
      • 360TS_Setup.exe (PID: 8404)
      • javaw.exe (PID: 3148)
      • java.exe (PID: 8952)
      • jre-8u461-windows-x64.exe (PID: 8132)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • KB931125-rootsupd.exe (PID: 188)
      • QHActiveDefense.exe (PID: 7712)
      • javaw.exe (PID: 3576)

    • Reads Internet Explorer settings

      • jre-8u461-windows-x64.exe (PID: 8132)
      • irsetup.exe (PID: 7132)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4580)

    • Application launched itself

      • msiexec.exe (PID: 4580)
      • QHSafeTray.exe (PID: 1244)
      • PopWndLog.exe (PID: 7488)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4772)
      • 360TS_Setup.exe (PID: 8404)

    • There is functionality for taking screenshot (YARA)

      • jre-8u461-windows-x64.exe (PID: 8132)
      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • 360TS_Setup.exe (PID: 1660)
      • 360TS_Setup.exe (PID: 8404)

    • Reads Mozilla Firefox installation path

      • MSIB6B1.tmp (PID: 1332)
      • installer.exe (PID: 4512)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4580)
      • WinRAR.exe (PID: 8236)
      • javaw.exe (PID: 3148)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)
      • KB931125-rootsupd.exe (PID: 188)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4580)
      • javaw.exe (PID: 3148)
      • java.exe (PID: 8952)

    • Potential Corporate Privacy Violation

      • 360-installer-bro.exe (PID: 1480)

    • Process requests binary or script from the Internet

      • 360-installer-bro.exe (PID: 1480)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 4512)
      • ssvagent.exe (PID: 2312)
      • dxdiag.exe (PID: 5248)
      • regsvr32.exe (PID: 7476)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 7132)
      • 360TS_Setup.exe (PID: 8404)

    • Starts itself from another location

      • 360TS_Setup.exe (PID: 1660)

    • Drops 7-zip archiver for unpacking

      • 360TS_Setup.exe (PID: 8404)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 8236)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 3396)

    • Starts CMD.EXE for commands execution

      • java.exe (PID: 8952)
      • explorer.exe (PID: 4772)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 432)
      • cmd.exe (PID: 8764)
      • cmd.exe (PID: 8024)

    • The process verifies whether the antivirus software is installed

      • 360TS_Setup.exe (PID: 8404)
      • regsvr32.exe (PID: 7476)
      • PowerSaver.exe (PID: 8568)
      • WscReg.exe (PID: 8812)
      • csrss.exe (PID: 608)
      • WscReg.exe (PID: 8800)
      • QHActiveDefense.exe (PID: 3048)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 7712)
      • csrss.exe (PID: 524)
      • QHWatchdog.exe (PID: 8128)
      • explorer.exe (PID: 4772)
      • QHSafeTray.exe (PID: 1244)
      • QHSafeTray.exe (PID: 5264)
      • regsvr32.exe (PID: 8536)
      • PopWndLog.exe (PID: 7528)
      • PopWndLog.exe (PID: 7488)
      • QHSafeTray.exe (PID: 2536)
      • KB931125-rootsupd.exe (PID: 188)
      • WscReg.exe (PID: 7428)
      • regsvr32.exe (PID: 8980)
      • regsvr32.exe (PID: 5904)
      • WscReg.exe (PID: 2876)
      • javaw.exe (PID: 3576)
      • java.exe (PID: 8088)

    • Uses WMIC.EXE to obtain quick Fix Engineering (patches) data

      • cmd.exe (PID: 8764)

    • Drops a system driver (possible attempt to evade defenses)

      • 360TS_Setup.exe (PID: 8404)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • QHActiveDefense.exe (PID: 7712)

    • Adds/modifies Windows certificates

      • PowerSaver.exe (PID: 8568)
      • updroots.exe (PID: 5028)
      • updroots.exe (PID: 6320)
      • updroots.exe (PID: 7224)
      • QHActiveDefense.exe (PID: 7712)
      • 360TS_Setup.exe (PID: 8404)

    • Creates files in the driver directory

      • 360TS_Setup.exe (PID: 8404)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • QHActiveDefense.exe (PID: 7712)

    • Creates or modifies Windows services

      • 360TS_Setup.exe (PID: 8404)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • QHActiveDefense.exe (PID: 7712)
      • QHSafeTray.exe (PID: 1244)

    • Executes as Windows Service

      • WscReg.exe (PID: 8800)
      • QHActiveDefense.exe (PID: 7712)
      • WscReg.exe (PID: 2876)

    • Searches for installed software

      • QHSafeTray.exe (PID: 1244)

    • Zapya greyware has been detected

      • QHActiveDefense.exe (PID: 7712)

    • Starts a Microsoft application from unusual location

      • updroots.exe (PID: 7224)
      • updroots.exe (PID: 6320)
      • updroots.exe (PID: 8644)
      • updroots.exe (PID: 5028)

    • Executing commands from ".cmd" file

      • explorer.exe (PID: 4772)

  • INFO

    • Java executable

      • jre-8u461-windows-x64.exe (PID: 2076)
      • jre-8u461-windows-x64.exe (PID: 8008)
      • jre-8u461-windows-x64.exe (PID: 8132)
      • MSIB6B1.tmp (PID: 1332)
      • installer.exe (PID: 4512)

    • Application launched itself

      • chrome.exe (PID: 4724)

    • Checks supported languages

      • jre-8u461-windows-x64.exe (PID: 2076)
      • jre-8u461-windows-x64.exe (PID: 8132)
      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • irsetup.exe (PID: 7132)
      • msiexec.exe (PID: 4580)
      • msiexec.exe (PID: 7360)
      • BrowserInstaller.exe (PID: 4820)
      • irsetup.exe (PID: 7424)
      • MSIB6B1.tmp (PID: 1332)
      • jaureg.exe (PID: 7996)
      • 360-installer-bro.exe (PID: 1480)
      • installer.exe (PID: 4512)
      • javaw.exe (PID: 6224)
      • TLauncher.exe (PID: 2384)
      • javaw.exe (PID: 3148)
      • javaws.exe (PID: 7644)
      • jp2launcher.exe (PID: 7988)
      • ssvagent.exe (PID: 2312)
      • javaws.exe (PID: 6220)
      • jp2launcher.exe (PID: 3704)
      • 360TS_Setup.exe (PID: 1660)
      • 360TS_Setup.exe (PID: 8404)
      • msiexec.exe (PID: 8556)
      • msiexec.exe (PID: 8352)
      • javaw.exe (PID: 8640)
      • javaw.exe (PID: 8736)
      • chcp.com (PID: 8296)
      • chcp.com (PID: 5556)
      • java.exe (PID: 8952)
      • chcp.com (PID: 8840)
      • chcp.com (PID: 7016)
      • msiexec.exe (PID: 5288)
      • javaw.exe (PID: 7956)
      • msiexec.exe (PID: 7532)
      • PowerSaver.exe (PID: 8568)
      • WscReg.exe (PID: 8812)
      • WscReg.exe (PID: 8800)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • QHActiveDefense.exe (PID: 7712)
      • QHSafeTray.exe (PID: 1244)
      • QHWatchdog.exe (PID: 8128)
      • PopWndLog.exe (PID: 7488)
      • QHSafeTray.exe (PID: 5264)
      • PopWndLog.exe (PID: 7528)
      • QHSafeTray.exe (PID: 2536)
      • QHWatchdog.exe (PID: 4860)
      • KB931125-rootsupd.exe (PID: 188)
      • updroots.exe (PID: 7224)
      • updroots.exe (PID: 6320)
      • updroots.exe (PID: 8644)
      • updroots.exe (PID: 5028)
      • WscReg.exe (PID: 7428)
      • WscReg.exe (PID: 2876)
      • javaw.exe (PID: 3576)
      • java.exe (PID: 8088)

    • Create files in a temporary directory

      • jre-8u461-windows-x64.exe (PID: 2076)
      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • irsetup.exe (PID: 7132)
      • BrowserInstaller.exe (PID: 4820)
      • MSIB6B1.tmp (PID: 1332)
      • 360-installer-bro.exe (PID: 1480)
      • irsetup.exe (PID: 7424)
      • javaw.exe (PID: 6224)
      • javaw.exe (PID: 3148)
      • jp2launcher.exe (PID: 7988)
      • jp2launcher.exe (PID: 3704)
      • 360TS_Setup.exe (PID: 1660)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)
      • javaw.exe (PID: 7956)
      • KB931125-rootsupd.exe (PID: 188)
      • javaw.exe (PID: 3576)
      • java.exe (PID: 8088)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 4724)
      • msiexec.exe (PID: 4580)
      • WinRAR.exe (PID: 8236)

    • Reads the computer name

      • jre-8u461-windows-x64.exe (PID: 2076)
      • jre-8u461-windows-x64.exe (PID: 8132)
      • irsetup.exe (PID: 7132)
      • msiexec.exe (PID: 4580)
      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • msiexec.exe (PID: 7360)
      • MSIB6B1.tmp (PID: 1332)
      • BrowserInstaller.exe (PID: 4820)
      • 360-installer-bro.exe (PID: 1480)
      • irsetup.exe (PID: 7424)
      • installer.exe (PID: 4512)
      • javaw.exe (PID: 3148)
      • javaws.exe (PID: 7644)
      • jp2launcher.exe (PID: 7988)
      • javaws.exe (PID: 6220)
      • jp2launcher.exe (PID: 3704)
      • 360TS_Setup.exe (PID: 1660)
      • msiexec.exe (PID: 8352)
      • 360TS_Setup.exe (PID: 8404)
      • msiexec.exe (PID: 8556)
      • javaw.exe (PID: 8640)
      • javaw.exe (PID: 8736)
      • java.exe (PID: 8952)
      • msiexec.exe (PID: 5288)
      • msiexec.exe (PID: 7532)
      • javaw.exe (PID: 7956)
      • WscReg.exe (PID: 8812)
      • WscReg.exe (PID: 8800)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 3048)
      • QHActiveDefense.exe (PID: 7712)
      • QHSafeTray.exe (PID: 1244)
      • PopWndLog.exe (PID: 7488)
      • PopWndLog.exe (PID: 7528)
      • QHSafeTray.exe (PID: 5264)
      • QHSafeTray.exe (PID: 2536)
      • WscReg.exe (PID: 2876)
      • WscReg.exe (PID: 7428)
      • javaw.exe (PID: 3576)
      • java.exe (PID: 8088)

    • Reads Environment values

      • jre-8u461-windows-x64.exe (PID: 8132)
      • QHSafeTray.exe (PID: 1244)
      • QHActiveDefense.exe (PID: 7712)

    • Creates files or folders in the user directory

      • jre-8u461-windows-x64.exe (PID: 8132)
      • msiexec.exe (PID: 4580)
      • irsetup.exe (PID: 7132)
      • irsetup.exe (PID: 7424)
      • explorer.exe (PID: 4772)
      • 360-installer-bro.exe (PID: 1480)
      • javaw.exe (PID: 3148)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)
      • dxdiag.exe (PID: 5248)
      • QHSafeTray.exe (PID: 1244)
      • javaw.exe (PID: 3576)

    • Reads the machine GUID from the registry

      • jre-8u461-windows-x64.exe (PID: 8132)
      • msiexec.exe (PID: 4580)
      • irsetup.exe (PID: 7132)
      • irsetup.exe (PID: 7424)
      • 360-installer-bro.exe (PID: 1480)
      • javaw.exe (PID: 3148)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)
      • QHSafeTray.exe (PID: 1244)
      • QHActiveDefense.exe (PID: 7712)
      • javaw.exe (PID: 3576)
      • java.exe (PID: 8088)

    • Checks proxy server information

      • jre-8u461-windows-x64.exe (PID: 8132)
      • irsetup.exe (PID: 7132)
      • irsetup.exe (PID: 7424)
      • 360-installer-bro.exe (PID: 1480)
      • jp2launcher.exe (PID: 7988)
      • jp2launcher.exe (PID: 3704)
      • 360TS_Setup.exe (PID: 8404)
      • slui.exe (PID: 7080)
      • QHSafeTray.exe (PID: 1244)

    • Reads the software policy settings

      • jre-8u461-windows-x64.exe (PID: 8132)
      • irsetup.exe (PID: 7132)
      • msiexec.exe (PID: 4580)
      • irsetup.exe (PID: 7424)
      • 360TS_Setup.exe (PID: 8404)
      • dxdiag.exe (PID: 5248)
      • slui.exe (PID: 7080)
      • QHActiveDefense.exe (PID: 7712)

    • The sample compiled with english language support

      • chrome.exe (PID: 4724)
      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • irsetup.exe (PID: 7132)
      • msiexec.exe (PID: 4580)
      • BrowserInstaller.exe (PID: 4820)
      • irsetup.exe (PID: 7424)
      • 360-installer-bro.exe (PID: 1480)
      • installer.exe (PID: 4512)
      • 360TS_Setup.exe (PID: 8404)
      • WinRAR.exe (PID: 8236)
      • javaw.exe (PID: 3148)
      • jre-8u461-windows-x64.exe (PID: 8132)
      • java.exe (PID: 8952)
      • QHActiveDefense.exe (PID: 3048)
      • KB931125-rootsupd.exe (PID: 188)
      • javaw.exe (PID: 3576)

    • The sample compiled with portuguese language support

      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • BrowserInstaller.exe (PID: 4820)
      • irsetup.exe (PID: 7132)

    • Process checks computer location settings

      • TLauncher-Installer-1.8.8.exe (PID: 7344)
      • irsetup.exe (PID: 7132)
      • BrowserInstaller.exe (PID: 4820)
      • irsetup.exe (PID: 7424)
      • 360-installer-bro.exe (PID: 1480)
      • 360TS_Setup.exe (PID: 8404)
      • java.exe (PID: 8952)
      • QHSafeTray.exe (PID: 1244)
      • java.exe (PID: 8088)

    • Reads CPU info

      • msiexec.exe (PID: 4580)
      • java.exe (PID: 8952)
      • 360TS_Setup.exe (PID: 8404)
      • QHActiveDefense.exe (PID: 7712)
      • java.exe (PID: 8088)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 4580)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • WMIC.exe (PID: 8228)
      • WMIC.exe (PID: 8524)
      • dxdiag.exe (PID: 5248)

    • Creates files in the program directory

      • irsetup.exe (PID: 7132)
      • installer.exe (PID: 4512)
      • javaw.exe (PID: 6224)
      • javaw.exe (PID: 3148)
      • 360TS_Setup.exe (PID: 1660)
      • 360TS_Setup.exe (PID: 8404)
      • QHActiveDefense.exe (PID: 7712)
      • QHSafeTray.exe (PID: 1244)
      • PopWndLog.exe (PID: 7488)
      • PopWndLog.exe (PID: 7528)
      • WscReg.exe (PID: 7428)

    • Disables trace logs

      • 360-installer-bro.exe (PID: 1480)
      • 360TS_Setup.exe (PID: 8404)
      • QHActiveDefense.exe (PID: 7712)
      • QHSafeTray.exe (PID: 1244)
      • QHSafeTray.exe (PID: 5264)
      • QHSafeTray.exe (PID: 2536)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4580)

    • Application based on Java

      • javaw.exe (PID: 3148)

    • JAVA mutex has been found

      • jp2launcher.exe (PID: 7988)
      • jp2launcher.exe (PID: 3704)
      • msiexec.exe (PID: 8556)
      • msiexec.exe (PID: 5288)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4772)

    • The sample compiled with chinese language support

      • 360TS_Setup.exe (PID: 1660)
      • 360TS_Setup.exe (PID: 8404)
      • EaInstHelper64.exe (PID: 2848)
      • QHActiveDefense.exe (PID: 7712)

    • Manual execution by a user

      • WinRAR.exe (PID: 8236)
      • cmd.exe (PID: 4024)

    • The sample compiled with turkish language support

      • 360TS_Setup.exe (PID: 8404)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 432)
      • cmd.exe (PID: 8764)
      • cmd.exe (PID: 8024)

    • The sample compiled with russian language support

      • 360TS_Setup.exe (PID: 8404)

    • Launching a file from a Registry key

      • 360TS_Setup.exe (PID: 8404)
      • QHActiveDefense.exe (PID: 7712)
      • KB931125-rootsupd.exe (PID: 188)

    • Process checks whether UAC notifications are on

      • 360TS_Setup.exe (PID: 8404)
      • QHActiveDefense.exe (PID: 7712)
      • QHSafeTray.exe (PID: 1244)

    • Reads the time zone

      • javaw.exe (PID: 3576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
129
Malicious processes
38
Suspicious processes
4

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs jre-8u461-windows-x64.exe no specs jre-8u461-windows-x64.exe jre-8u461-windows-x64.exe chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs tlauncher-installer-1.8.8.exe no specs tlauncher-installer-1.8.8.exe irsetup.exe msiexec.exe msiexec.exe no specs msib6b1.tmp no specs jaureg.exe conhost.exe no specs browserinstaller.exe irsetup.exe 360-installer-bro.exe installer.exe javaw.exe rundll32.exe no specs ssvagent.exe no specs tlauncher.exe no specs javaw.exe icacls.exe no specs conhost.exe no specs javaws.exe jp2launcher.exe no specs javaws.exe jp2launcher.exe no specs 360ts_setup.exe winrar.exe chrome.exe no specs msiexec.exe no specs 360ts_setup.exe msiexec.exe no specs msiexec.exe no specs javaw.exe no specs javaw.exe no specs java.exe conhost.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs chcp.com no specs dxdiag.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs tiworker.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msiexec.exe no specs msiexec.exe no specs javaw.exe no specs chrome.exe no specs bcdedit.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe powersaver.exe wscreg.exe wscreg.exe eainsthelper64.exe qhactivedefense.exe qhactivedefense.exe qhsafetray.exe qhwatchdog.exe no specs popwndlog.exe qhsafetray.exe regsvr32.exe popwndlog.exe qhwatchdog.exe no specs qhsafetray.exe kb931125-rootsupd.exe updroots.exe no specs updroots.exe no specs updroots.exe no specs updroots.exe no specs regsvr32.exe regsvr32.exe wscreg.exe wscreg.exe chrome.exe no specs javaw.exe cmd.exe no specs conhost.exe no specs java.exe csrss.exe csrss.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe" C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
360TS_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
6.0.6000.16386 (vista_rtm.061101-2205)
Modules
Images
c:\program files (x86)\360\total security\modules\kb931125-rootsupd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
432cmd.exe /C chcp 437 & set processorC:\Windows\System32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
524%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
608%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
1244/showtrayiconC:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
QHActiveDefense.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
360 Total Security
Version:
10,0,0,1860
Modules
Images
c:\program files (x86)\360\total security\safemon\qhsafetray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1300"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,12574307751575925639,2611191096748367988,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3104 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=3604,i,12574307751575925639,2611191096748367988,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=6996 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1332"C:\WINDOWS\Installer\MSIB6B1.tmp" INSTALLDIR="C:\Program Files\Java\jre1.8.0_271\\" ProductCode={26A24AE4-039D-4CA4-87B4-2F64180271F0} /s BASEIMAGECHECKSUMSHA256=C:\Windows\Installer\MSIB6B1.tmpmsiexec.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\windows\installer\msib6b1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
1480"C:\Users\admin\AppData\Local\Temp\360-installer-bro.exe" /sC:\Users\admin\AppData\Local\Temp\360-installer-bro.exe
irsetup.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
360 Total Security Online Installer
Exit code:
1
Version:
6, 6, 0, 1060
Modules
Images
c:\users\admin\appdata\local\temp\360-installer-bro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1660C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
Total events
156 140
Read events
123 700
Write events
15 640
Delete events
16 800

Modification events

(PID) Process:(4724) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4724) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4724) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4724) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000080244
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4724) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(4724) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:writeName:C1F
Value:
1
(PID) Process:(8132) jre-8u461-windows-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft
Operation:delete valueName:InstallStatus
Value:
(PID) Process:(8132) jre-8u461-windows-x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8132) jre-8u461-windows-x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
2 222
Suspicious files
3 428
Text files
2 542
Unknown types
0

Dropped files

PID
Process
Filename
Type
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF18d404.TMP
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF18d423.TMP
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF18d423.TMP
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF18d423.TMP
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF18d423.TMP
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4724chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF18d443.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
415
DNS requests
262
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2348
chrome.exe
GET
200
142.250.184.206:80
http://clients2.google.com/time/1/current?cup2key=8:Q6aO3ehVJX3oSwFheDPl-Hj5YIENaHKtBQ24XQGbNEw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3872
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7296
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7296
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8132
jre-8u461-windows-x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
5468
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7132
irsetup.exe
GET
200
104.20.7.182:80
http://dl2.tlauncher.org/
unknown
malicious
4580
msiexec.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4172
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2348
chrome.exe
142.250.186.106:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
2348
chrome.exe
142.250.184.206:443
clients2.google.com
GOOGLE
US
whitelisted
2348
chrome.exe
142.250.184.206:80
clients2.google.com
GOOGLE
US
whitelisted
2348
chrome.exe
108.177.15.84:443
accounts.google.com
GOOGLE
US
whitelisted
2348
chrome.exe
142.250.185.163:443
www.gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.186.106
  • 142.250.185.74
  • 142.250.185.170
  • 216.58.212.170
  • 142.250.185.202
  • 142.250.186.42
  • 142.250.186.138
  • 172.217.23.106
  • 142.250.186.74
  • 142.250.185.234
  • 142.250.185.138
  • 142.250.74.202
  • 216.58.206.74
  • 142.250.185.106
  • 172.217.16.202
  • 142.250.181.234
whitelisted
clients2.google.com
  • 142.250.184.206
whitelisted
drive.google.com
  • 142.250.184.206
whitelisted
accounts.google.com
  • 108.177.15.84
whitelisted
www.gstatic.com
  • 142.250.185.163
whitelisted
fonts.googleapis.com
  • 142.250.186.106
whitelisted
fonts.gstatic.com
  • 142.250.186.163
whitelisted
ogads-pa.clients6.google.com
  • 142.250.186.42
whitelisted

Threats

PID
Process
Class
Message
2348
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2348
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2348
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2348
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
2348
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
1480
360-installer-bro.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1480
360-installer-bro.exe
Misc activity
ET INFO Packed Executable Download
3148
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
2200
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
8952
java.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 21.0.x Detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://drive.google.com/file/d/1_wU0nKw7_E21-bmk61SEJ7O3ayoZNIQz/view?pli=1