URL:

https://www.360totalsecurity.com/download/360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe

Full analysis: https://app.any.run/tasks/915fd965-b2bc-4701-a9b0-10226ccb17c4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 05, 2023, 13:11:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
stealer
qrcode
Indicators:
SHA1:

D7909FF853F04FACB0E198669A523676BCBDD3C5

SHA256:

8A0B1A13FFE7051D64C5E73CCE19766517987EB0A748FBDAE45CFBC18CA9A9FD

SSDEEP:

3:N8DSLQKRTAAFK8LWZPyHcU4tIwcIoF7EO3b8XlvDFisxkQCw44i3lM4A:2OLftFziVyHcUtwcn7EoMlvDVxkRwu3e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3736)
      • QHActiveDefense.exe (PID: 3344)
      • KB931125-rootsupd.exe (PID: 3180)
      • QHActiveDefense.exe (PID: 3388)
      • 360TS_Setup.exe (PID: 3764)

    • Creates a writable file the system directory

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3344)
      • QHActiveDefense.exe (PID: 3388)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 360TS_Setup.exe (PID: 3764)
      • QHSafeTray.exe (PID: 3544)
      • QHActiveDefense.exe (PID: 3388)

    • Actions looks like stealing of personal data

      • regsvr32.exe (PID: 1000)
      • regsvr32.exe (PID: 3180)
      • PowerSaver.exe (PID: 3376)
      • QHActiveDefense.exe (PID: 3344)
      • QHWatchdog.exe (PID: 2616)
      • DesktopPlus.exe (PID: 2980)
      • QHSafeTray.exe (PID: 3544)
      • regsvr32.exe (PID: 3480)
      • PopWndLog.exe (PID: 1848)
      • QHWatchdog.exe (PID: 3196)
      • QHSafeTray.exe (PID: 3624)
      • 360DeskAna.exe (PID: 2760)
      • DesktopPlus64.exe (PID: 2276)
      • regsvr32.exe (PID: 3192)
      • regsvr32.exe (PID: 796)
      • regsvr32.exe (PID: 2360)
      • KB931125-rootsupd.exe (PID: 3180)
      • regsvr32.exe (PID: 3444)
      • QHActiveDefense.exe (PID: 3388)
      • 360TsLiveUpd.exe (PID: 3784)
      • WscReg.exe (PID: 3676)
      • QHSafeMain.exe (PID: 3376)
      • 360TS_Setup.exe (PID: 3764)

    • Changes the autorun value in the registry

      • QHActiveDefense.exe (PID: 3388)

    • Runs injected code in another process

      • QHSafeTray.exe (PID: 3544)

    • Application was injected by another process

      • explorer.exe (PID: 1944)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3764)
      • QHSafeTray.exe (PID: 3544)
      • 360DeskAna.exe (PID: 2760)
      • QHSafeMain.exe (PID: 3376)

    • Starts itself from another location

      • 360TS_Setup.exe (PID: 3736)

    • Process requests binary or script from the Internet

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)

    • Reads security settings of Internet Explorer

      • 360TS_Setup.exe (PID: 3764)

    • Reads settings of System Certificates

      • 360TS_Setup.exe (PID: 3764)
      • QHSafeMain.exe (PID: 3376)

    • Checks Windows Trust Settings

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3388)

    • Adds/modifies Windows certificates

      • 360TS_Setup.exe (PID: 3736)

    • Drops 7-zip archiver for unpacking

      • 360TS_Setup.exe (PID: 3764)

    • Process drops legitimate windows executable

      • 360TS_Setup.exe (PID: 3764)
      • KB931125-rootsupd.exe (PID: 3180)

    • Creates files in the driver directory

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3344)
      • QHActiveDefense.exe (PID: 3388)

    • Creates or modifies Windows services

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3344)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeTray.exe (PID: 3544)

    • The process verifies whether the antivirus software is installed

      • regsvr32.exe (PID: 1000)
      • PowerSaver.exe (PID: 3376)
      • regsvr32.exe (PID: 3180)
      • QHActiveDefense.exe (PID: 3344)
      • explorer.exe (PID: 1944)
      • QHWatchdog.exe (PID: 2616)
      • PopWndLog.exe (PID: 1848)
      • QHSafeTray.exe (PID: 3544)
      • regsvr32.exe (PID: 3480)
      • 360TS_Setup.exe (PID: 3764)
      • DesktopPlus.exe (PID: 2980)
      • QHSafeTray.exe (PID: 3624)
      • 360DeskAna.exe (PID: 2760)
      • KB931125-rootsupd.exe (PID: 3180)
      • DesktopPlus64.exe (PID: 2276)
      • regsvr32.exe (PID: 3192)
      • regsvr32.exe (PID: 796)
      • regsvr32.exe (PID: 2360)
      • regsvr32.exe (PID: 3444)
      • 360TsLiveUpd.exe (PID: 3784)
      • WscReg.exe (PID: 3676)
      • QHSafeMain.exe (PID: 3376)
      • QHActiveDefense.exe (PID: 3388)

    • Drops a system driver (possible attempt to evade defenses)

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3344)
      • QHActiveDefense.exe (PID: 3388)

    • Executes as Windows Service

      • QHActiveDefense.exe (PID: 3388)

    • Executed via WMI

      • 360DeskAna.exe (PID: 2760)

    • Detected use of alternative data streams (AltDS)

      • DesktopPlus64.exe (PID: 2276)

    • The process checks if it is being run in the virtual environment

      • QHSafeTray.exe (PID: 3544)
      • QHActiveDefense.exe (PID: 3388)

    • Reads the BIOS version

      • QHSafeTray.exe (PID: 3544)
      • QHActiveDefense.exe (PID: 3388)

    • Connects to the server without a host name

      • QHActiveDefense.exe (PID: 3388)

    • Searches for installed software

      • QHSafeTray.exe (PID: 3544)

  • INFO

    • Checks supported languages

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3736)
      • 360TS_Setup.exe (PID: 3764)
      • PowerSaver.exe (PID: 3376)
      • QHActiveDefense.exe (PID: 3344)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeTray.exe (PID: 3544)
      • QHWatchdog.exe (PID: 2616)
      • PopWndLog.exe (PID: 1848)
      • DesktopPlus.exe (PID: 2980)
      • 360DeskAna.exe (PID: 3444)
      • 360DeskAna.exe (PID: 2760)
      • QHWatchdog.exe (PID: 3196)
      • QHSafeTray.exe (PID: 3624)
      • KB931125-rootsupd.exe (PID: 3180)
      • updroots.exe (PID: 3320)
      • updroots.exe (PID: 3308)
      • updroots.exe (PID: 1800)
      • updroots.exe (PID: 2100)
      • QHSafeMain.exe (PID: 3376)
      • 360TsLiveUpd.exe (PID: 3784)
      • WscReg.exe (PID: 3676)
      • DesktopPlus64.exe (PID: 2276)

    • Reads the computer name

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3736)
      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3344)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeTray.exe (PID: 3544)
      • PopWndLog.exe (PID: 1848)
      • DesktopPlus.exe (PID: 2980)
      • 360DeskAna.exe (PID: 3444)
      • 360DeskAna.exe (PID: 2760)
      • DesktopPlus64.exe (PID: 2276)
      • KB931125-rootsupd.exe (PID: 3180)
      • QHSafeMain.exe (PID: 3376)
      • 360TsLiveUpd.exe (PID: 3784)
      • WscReg.exe (PID: 3676)

    • Checks proxy server information

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3764)
      • QHSafeTray.exe (PID: 3544)
      • QHSafeMain.exe (PID: 3376)

    • The process uses the downloaded file

      • firefox.exe (PID: 2584)

    • Create files in a temporary directory

      • 360TS_Setup.exe (PID: 3764)
      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3736)
      • KB931125-rootsupd.exe (PID: 3180)

    • Reads the machine GUID from the registry

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeTray.exe (PID: 3544)
      • PopWndLog.exe (PID: 1848)
      • 360DeskAna.exe (PID: 3444)
      • DesktopPlus64.exe (PID: 2276)
      • QHSafeMain.exe (PID: 3376)
      • 360TsLiveUpd.exe (PID: 3784)
      • WscReg.exe (PID: 3676)

    • Creates files or folders in the user directory

      • 360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe (PID: 3420)
      • 360TS_Setup.exe (PID: 3764)
      • QHSafeTray.exe (PID: 3544)
      • DesktopPlus64.exe (PID: 2276)

    • Application launched itself

      • firefox.exe (PID: 2584)

    • Drops the executable file immediately after the start

      • firefox.exe (PID: 2584)

    • Creates files in the program directory

      • 360TS_Setup.exe (PID: 3736)
      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeTray.exe (PID: 3544)
      • PopWndLog.exe (PID: 1848)
      • QHSafeMain.exe (PID: 3376)
      • 360TsLiveUpd.exe (PID: 3784)

    • Reads CPU info

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeMain.exe (PID: 3376)
      • QHSafeTray.exe (PID: 3544)

    • Reads Microsoft Office registry keys

      • 360TS_Setup.exe (PID: 3764)

    • Process checks computer location settings

      • 360TS_Setup.exe (PID: 3764)

    • Process checks are UAC notifies on

      • 360TS_Setup.exe (PID: 3764)
      • QHActiveDefense.exe (PID: 3388)
      • QHSafeTray.exe (PID: 3544)

    • Dropped object may contain TOR URL's

      • 360TS_Setup.exe (PID: 3764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
41
Malicious processes
25
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs 360ts_setup_mini.h1.ywzmas5hzgl0bwvkaweuuei.z3fsammybgtxakv3whpzd05uz3ppvfnqwtjsa3vewtforgm1tkrrne1xrtvove0wturbd01xwxhnbvkxwve.ts.exe no specs 360ts_setup_mini.h1.ywzmas5hzgl0bwvkaweuuei.z3fsammybgtxakv3whpzd05uz3ppvfnqwtjsa3vewtforgm1tkrrne1xrtvove0wturbd01xwxhnbvkxwve.ts.exe 360ts_setup.exe no specs 360ts_setup.exe regsvr32.exe regsvr32.exe powersaver.exe qhactivedefense.exe qhactivedefense.exe qhsafetray.exe qhwatchdog.exe popwndlog.exe regsvr32.exe desktopplus.exe 360deskana.exe no specs qhwatchdog.exe 360deskana.exe qhsafetray.exe desktopplus64.exe kb931125-rootsupd.exe updroots.exe no specs updroots.exe no specs regsvr32.exe regsvr32.exe updroots.exe no specs updroots.exe no specs regsvr32.exe regsvr32.exe qhsafemain.exe 360tsliveupd.exe explorer.exe wscreg.exe

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.1.1054295105\12232237" -parentBuildID 20230710165010 -prefsHandle 1412 -prefMapHandle 1408 -prefsLen 29857 -prefMapSize 244187 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad5e577-7212-4de1-a941-da67fce30ed0} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 1424 42d3e58 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
460"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.6.1737272193\778536867" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 30253 -prefMapSize 244187 -jsInitHandle 920 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6285630-08dc-4c3b-a25c-46c68cbecde2} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 3908 16877758 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
796"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"C:\Windows\SysWOW64\regsvr32.exe
QHActiveDefense.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1000"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"C:\Windows\SysWOW64\regsvr32.exe
360TS_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1724"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.5.1620614607\1529928512" -childID 4 -isForBrowser -prefsHandle 3864 -prefMapHandle 3844 -prefsLen 30253 -prefMapSize 244187 -jsInitHandle 920 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7f2dd22-2bc8-41af-a469-4f6893469e69} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 3852 20343658 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1800C:\Users\admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sstC:\Users\admin\AppData\Local\Temp\IXP000.TMP\updroots.exeKB931125-rootsupd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
UPDROOTS
Exit code:
0
Version:
5.1.2484.0 (main.010529-2005)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\updroots.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1848"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
QHSafeTray.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
AD Blocker
Exit code:
0
Version:
6, 1, 0, 1061
Modules
Images
c:\program files (x86)\360\total security\safemon\popwndlog.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1944C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2100C:\Users\admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sstC:\Users\admin\AppData\Local\Temp\IXP000.TMP\updroots.exeKB931125-rootsupd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
UPDROOTS
Exit code:
0
Version:
5.1.2484.0 (main.010529-2005)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\updroots.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2228"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.0.1910655269\1732283839" -parentBuildID 20230710165010 -prefsHandle 1112 -prefMapHandle 1104 -prefsLen 29780 -prefMapSize 244187 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd478aa-3ba7-4300-906e-e9e44f37af4f} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 1184 42d0e58 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
39 603
Read events
38 153
Write events
1 415
Delete events
35

Modification events

(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:(2584) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(1944) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
000000000D000000150000005F450200000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF800D10ACA1C5D90100000000
(PID) Process:(1944) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000CA00000001010000F5936A001500000007000000AC1D06007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000100300000000509F6909000000000F5D6D09000000000A000080000000004DBC20FEFE070000000000000000000080DF100300000000D8ED10030000000001000000000000000A0000800000000004FE20FEFE0700000000000000000000D8ED100300000000D8ED100300000000020000000000000001001A00520C000000622D000000000001100211910100000F5D6D090000000000D3A70200000000509F690900000000C0A32B0000000000880000000000000040B35CFEFE0700000000000000000000000000000000000000002B0000000000C803CE77000000000000000000000000D00300000000000000002B0000000000C006760900000000280CBF770000000048062B000000000048DDC177000000000000000000000000C103000000000000010002000E00000010812B000000000010A0AE02000000000000000000000000D0ED1003000000000800000000000000D09AAE0200000000207D2B0000000000C8225DFEFE0700001C7F2B0000000000D0242E00000000005B590EFFFE070000020000000000000058F7800700000000D09AAE0200000000A54208FFFE070000C803CE7707000000250000004B7A0B004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000075006C0074000000000000000000010000000000000088E2EA0200000000000000000000000030E0EA020000000028E0EA020000000020E0EA0200000000586705FCFE070000000000000000000040E0EA0200000000000000000000000000000000000000003E00400000000000B0E8EA02000000003053A203000000000000000000000000000000000000000022BBD2FF0000000000003D4A62B00000E000070000000000A210000000000000E0F1EA02000000000000000000000000300B8B0200000000A4768F0200000000D4AF17FEFE070000B0E3EA0200000000200C9C0A000000000100000000000000D46905FCFE0700001500000007000000790E06007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000EA02000000000540008000000000542D8CFFFE070000000000000000000068006C02000000005C0001000000000000000000000000000000280000000000EB1A6E770000000068006C020000000000000000FE070000282595FFFE070000A00D33000000000018006C02000000001B000000E8261C007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C007400610073006B006D00670072002E006500780065000000008000000000542DC9FDFE070000000000000000000068009902000000005800010000000000000000000000000000002B0000000000EB1AC07700000000680099020000000000000000FE0700002825D2FDFE070000F099A90200000000180099020000000000000000000000000100000000000000BF1DC9FDFE07000030E010030000000010D1AB020000000000000000000000003B94B8FDFE070000B04EAB020000000008009902000000005800010000000000869AAE7700000000C7F7CF529EC5000082020000000000000000000000000000580001000000000000000000000000008202000000000000020000000000000058000100000000000000000000000000820200000000000080A630FF00000000C81222FF00000000B04EAB020000000001000000000000000F0000C00000000090DFDD0300000000820200000000000001000000000000008202000000000000DB9BAE77000000005800010000000000000000000000000000000000000000000100000000000000000000000000000081020000000000000000000000000000000000000000000000000000
(PID) Process:(2584) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
1
(PID) Process:(2584) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(2584) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(2584) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Enabled
Value:
1
(PID) Process:(2584) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
0
Executable files
1 229
Suspicious files
1 358
Text files
385
Unknown types
0

Dropped files

PID
Process
Filename
Type
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2584firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\urlCache-current.binbinary
MD5:4DF9B77C7650AF87B264E535779AE2A4
SHA256:C57071FCFEF26EE4F08A2029E547848EC015B10045ABAD705195A9F966FEAE58
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cert9.dbbinary
MD5:69D5BAA80AE749A201B4B05411073D83
SHA256:6DED0889B8F5183BEF97C2DFF1C66604F9C0F05576365F6D0010497C5053C4E8
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\datareporting\glean\db\data.safe.tmpbinary
MD5:0655A2D1EEF9518AE846BAA4DD9D9FD9
SHA256:BE530199C7CC6CFD9D6463DC4BFD3717A1BA5D878D03771618C070A8620B3B33
2584firefox.exeC:\Users\admin\Downloads\360TS_Setup_Mini.sY1vKX0x.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe.partexecutable
MD5:D7DD1FC5E7A00444DE90425E2F117607
SHA256:BC71972F93477727C073CD7F89141575F93659B7889FD723ADBD9F1A303154F6
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\datareporting\glean\pending_pings\852adb68-615d-4339-a53a-2bb611f6b2c9text
MD5:5248121E75BD868F35D031016122D818
SHA256:A57E283B5B21A7AA396775ACDF7223460F9AF9278E6EC7B17FDDE4E555E01E4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
68
TCP/UDP connections
142
DNS requests
161
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
200
52.29.179.141:80
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=1a802dc84f31e3bda4b0cceb4134f63f&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=655&tdl=655&tds=655&terr=0&tes=Status|1,ErrorCode|0,DnCount|5,HttpNum|1,DnFailCount|5,FStatus|1,P2SS|655,P2PS|0,PDMode|2&tfl=655&tp=t&tst=1&ttdl=655&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
unknown
unknown
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1048.exe
unknown
unknown
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
104.192.108.17:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1048.exe
unknown
unknown
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
104.192.108.20:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1048.exe
unknown
unknown
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
104.192.108.17:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1048.exe
unknown
unknown
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
200
108.138.24.189:80
http://sd.p.360safe.com/61450211D3B36D42AD4592E3EE6F1440BE6658C2.trt
unknown
binary
15.0 Kb
unknown
2584
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
GET
200
151.236.118.237:80
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
unknown
compressed
655 b
unknown
2584
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
2584
firefox.exe
POST
200
142.250.184.195:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2584
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
2584
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2584
firefox.exe
18.214.83.77:443
spocs.getpocket.com
AMAZON-AES
US
unknown
2584
firefox.exe
34.117.65.55:443
push.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2584
firefox.exe
2.16.202.121:80
r3.o.lencr.org
Akamai International B.V.
NL
unknown
2584
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
unknown
2584
firefox.exe
13.227.149.217:80
ocsp.r2m02.amazontrust.com
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 34.107.221.82
whitelisted
www.360totalsecurity.com
  • 82.145.213.41
  • 82.145.213.42
  • 82.145.213.43
  • 54.76.238.225
unknown
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
spocs.getpocket.com
  • 18.214.83.77
  • 18.205.42.245
  • 34.197.137.200
  • 54.209.99.24
shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
  • 34.197.137.200
  • 18.214.83.77
  • 54.209.99.24
  • 18.205.42.245
shared
example.org
  • 93.184.216.34
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted

Threats

PID
Process
Class
Message
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
3420
360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.360totalsecurity.com/download/360TS_Setup_Mini.h1.YWZmaS5hZGl0bWVkaWEuUEI.Z3FSamMybGtxakV3WHpZd05UZ3pPVFNqWTJsa3VEWTFORGM1TkRRNE1XRTVOVE0wTURBd01XWXhNbVkxWVE.ts.exe