download:

360TS_Setup_US_ADW_0002_6.6.0.1046.exe

Full analysis: https://app.any.run/tasks/26287ce0-fb3d-47b1-893c-9ad51e512f9e
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 22, 2019, 04:18:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DC8364D33206A1AD09A44B393823F390

SHA1:

1013F1E0B9CE83D1E0EADA5A1681EF8E1BA5CBD7

SHA256:

90BEF6A8C4909EDBF7DBE73F1E431DD9D4C0D87626849DC749DEB941A4EF841A

SSDEEP:

24576:oHuYvtC2myvFYDaqSP1zj1SqdAGFQZIxLK545UJoeJF:ejvFY2qSNzjYq+ZIca5UJoeb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • 360TS_Setup_US_ADW_0002_6.6.0.1046.exe (PID: 3784)
      • PowerSaver.exe (PID: 1084)
      • 360InstantSetup.exe (PID: 4084)
      • QHActiveDefense.exe (PID: 2804)

    • Loads dropped or rewritten executable

      • 360TS_Setup.exe (PID: 3132)
      • 360TS_Setup_US_ADW_0002_6.6.0.1046.exe (PID: 3784)
      • PowerSaver.exe (PID: 1084)
      • QHActiveDefense.exe (PID: 2804)
      • QHActiveDefense.exe (PID: 3772)
      • QHSafeTray.exe (PID: 2272)
      • PopWndLog.exe (PID: 504)
      • DllHost.exe (PID: 1940)
      • QHSafeTray.exe (PID: 2924)
      • QHSafeMain.exe (PID: 4040)
      • explorer.exe (PID: 236)
      • 360TsLiveUpd.exe (PID: 1788)
      • PromoUtil.exe (PID: 756)
      • 360InstantSetup.exe (PID: 4084)
      • cefutil.exe (PID: 2788)
      • WscReg.exe (PID: 2628)
      • cefutil.exe (PID: 3756)
      • LiveUpdate360.exe (PID: 3472)
      • cefutil.exe (PID: 3224)
      • 360InstantSetup.exe (PID: 2396)
      • eagleget_360security.exe (PID: 2360)
      • regsvr32.exe (PID: 3448)
      • DllHost.exe (PID: 3948)
      • regsvr32.exe (PID: 3828)
      • regsvr32.exe (PID: 3764)
      • cefutil.exe (PID: 404)
      • 360DeskAna.exe (PID: 3508)
      • SearchProtocolHost.exe (PID: 3228)
      • 360DeskAna.exe (PID: 2400)
      • windanr.exe (PID: 2152)
      • SearchFilterHost.exe (PID: 2092)
      • cefutil.exe (PID: 1816)
      • svchost.exe (PID: 3584)
      • 360InstantSetup.exe (PID: 2540)
      • LineInst_5.0.0.1380_is.exe (PID: 2136)
      • SearchProtocolHost.exe (PID: 4944)
      • LineAppMgr.exe (PID: 5724)
      • explorer.exe (PID: 3812)
      • explorer.exe (PID: 5180)
      • 360InstantSetup.exe (PID: 4156)
      • DllHost.exe (PID: 5972)
      • svchost.exe (PID: 844)
      • SkypeSetupFull_7.32.99.104_is.exe (PID: 4728)

    • Changes the autorun value in the registry

      • 360TS_Setup.exe (PID: 3132)
      • QHActiveDefense.exe (PID: 2804)

    • Application was dropped or rewritten from another process

      • QHActiveDefense.exe (PID: 3772)
      • QHActiveDefense.exe (PID: 2804)
      • PowerSaver.exe (PID: 1084)
      • PopWndLog.exe (PID: 504)
      • QHSafeMain.exe (PID: 4040)
      • QHWatchdog.exe (PID: 1648)
      • QHSafeTray.exe (PID: 2924)
      • QHWatchdog.exe (PID: 2320)
      • 360InstantSetup.exe (PID: 4084)
      • QHSafeTray.exe (PID: 2272)
      • 360TsLiveUpd.exe (PID: 1788)
      • PromoUtil.exe (PID: 756)
      • cefutil.exe (PID: 2788)
      • cefutil.exe (PID: 3756)
      • LiveUpdate360.exe (PID: 3472)
      • WscReg.exe (PID: 2628)
      • cefutil.exe (PID: 3224)
      • eagleget_360security.exe (PID: 2360)
      • 360InstantSetup.exe (PID: 2396)
      • cefutil.exe (PID: 404)
      • cefutil.exe (PID: 1816)
      • 360DeskAna.exe (PID: 3508)
      • 360DeskAna.exe (PID: 2400)
      • 360InstantSetup.exe (PID: 2540)
      • LineAppMgr.exe (PID: 5724)
      • 360InstantSetup.exe (PID: 4156)
      • msiexec.exe (PID: 4616)
      • MsiExec.exe (PID: 1124)
      • MsiExec.exe (PID: 4460)

    • Registers / Runs the DLL via REGSVR32.EXE

      • eagleget_360security.tmp (PID: 772)

    • Loads the Task Scheduler COM API

      • QHActiveDefense.exe (PID: 2804)
      • explorer.exe (PID: 3812)
      • svchost.exe (PID: 844)

    • Disables Windows Defender

      • QHSafeMain.exe (PID: 4040)
      • svchost.exe (PID: 844)

    • Changes Windows auto-update feature

      • svchost.exe (PID: 844)
      • QHSafeMain.exe (PID: 4040)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 360TS_Setup_US_ADW_0002_6.6.0.1046.exe (PID: 3784)
      • QHActiveDefense.exe (PID: 3772)
      • QHActiveDefense.exe (PID: 2804)
      • 360TS_Setup.exe (PID: 3132)
      • LiveUpdate360.exe (PID: 3472)
      • eagleget_360security.exe (PID: 2360)
      • eagleget_360security.tmp (PID: 772)
      • QHSafeMain.exe (PID: 4040)
      • LineInst_5.0.0.1380_is.exe (PID: 2136)
      • msiexec.exe (PID: 4616)

    • Adds / modifies Windows certificates

      • 360TS_Setup_US_ADW_0002_6.6.0.1046.exe (PID: 3784)
      • 360InstantSetup.exe (PID: 4084)
      • QHActiveDefense.exe (PID: 2804)

    • Reads Internet Cache Settings

      • 360TS_Setup_US_ADW_0002_6.6.0.1046.exe (PID: 3784)

    • Low-level read access rights to disk partition

      • 360TS_Setup_US_ADW_0002_6.6.0.1046.exe (PID: 3784)
      • 360TS_Setup.exe (PID: 3132)
      • QHActiveDefense.exe (PID: 2804)
      • QHSafeTray.exe (PID: 2272)
      • QHSafeTray.exe (PID: 2924)
      • QHSafeMain.exe (PID: 4040)
      • 360TsLiveUpd.exe (PID: 1788)
      • PromoUtil.exe (PID: 756)
      • 360InstantSetup.exe (PID: 4084)
      • LiveUpdate360.exe (PID: 3472)
      • 360InstantSetup.exe (PID: 2396)
      • 360InstantSetup.exe (PID: 2540)
      • 360InstantSetup.exe (PID: 4156)

    • Creates or modifies windows services

      • 360TS_Setup.exe (PID: 3132)
      • QHActiveDefense.exe (PID: 3772)
      • QHActiveDefense.exe (PID: 2804)
      • QHWatchdog.exe (PID: 1648)
      • QHSafeTray.exe (PID: 2272)

    • Creates files in the Windows directory

      • 360TS_Setup.exe (PID: 3132)
      • QHActiveDefense.exe (PID: 3772)
      • QHActiveDefense.exe (PID: 2804)

    • Creates files in the driver directory

      • 360TS_Setup.exe (PID: 3132)
      • QHActiveDefense.exe (PID: 3772)
      • QHActiveDefense.exe (PID: 2804)

    • Creates COM task schedule object

      • 360TS_Setup.exe (PID: 3132)
      • regsvr32.exe (PID: 3448)
      • regsvr32.exe (PID: 3828)
      • regsvr32.exe (PID: 3764)

    • Creates a software uninstall entry

      • 360TS_Setup.exe (PID: 3132)
      • LineInst_5.0.0.1380_is.exe (PID: 2136)

    • Creates files in the program directory

      • QHActiveDefense.exe (PID: 3772)
      • QHSafeTray.exe (PID: 2272)
      • PopWndLog.exe (PID: 504)
      • 360TS_Setup.exe (PID: 3132)
      • PromoUtil.exe (PID: 756)
      • QHSafeMain.exe (PID: 4040)
      • 360InstantSetup.exe (PID: 4084)
      • cefutil.exe (PID: 2788)
      • LiveUpdate360.exe (PID: 3472)
      • cefutil.exe (PID: 3224)
      • QHActiveDefense.exe (PID: 2804)
      • svchost.exe (PID: 844)
      • SkypeSetupFull_7.32.99.104_is.exe (PID: 4728)

    • Executed as Windows Service

      • QHActiveDefense.exe (PID: 2804)

    • Searches for installed software

      • QHSafeTray.exe (PID: 2272)

    • Application launched itself

      • cefutil.exe (PID: 2788)
      • 360InstantSetup.exe (PID: 4084)

    • Reads Windows owner or organization settings

      • eagleget_360security.tmp (PID: 772)

    • Reads the Windows organization settings

      • eagleget_360security.tmp (PID: 772)

    • Creates files in the user directory

      • eagleget_360security.tmp (PID: 772)
      • QHSafeMain.exe (PID: 4040)
      • LiveUpdate360.exe (PID: 3472)
      • LineInst_5.0.0.1380_is.exe (PID: 2136)

    • Removes files from Windows directory

      • QHActiveDefense.exe (PID: 2804)

    • Modifies the open verb of a shell class

      • LineInst_5.0.0.1380_is.exe (PID: 2136)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • 360TS_Setup.exe (PID: 3132)
      • LineInst_5.0.0.1380_is.exe (PID: 2136)
      • QHActiveDefense.exe (PID: 2804)

    • Dropped object may contain TOR URL's

      • 360TS_Setup.exe (PID: 3132)

    • Reads settings of System Certificates

      • QHActiveDefense.exe (PID: 2804)
      • QHSafeMain.exe (PID: 4040)
      • 360InstantSetup.exe (PID: 4084)

    • Reads the hosts file

      • cefutil.exe (PID: 2788)
      • QHSafeMain.exe (PID: 4040)
      • QHActiveDefense.exe (PID: 2804)

    • Loads dropped or rewritten executable

      • eagleget_360security.tmp (PID: 772)
      • MsiExec.exe (PID: 4460)
      • msiexec.exe (PID: 4616)
      • MsiExec.exe (PID: 1124)

    • Creates files in the program directory

      • eagleget_360security.tmp (PID: 772)
      • MsiExec.exe (PID: 1124)

    • Application was dropped or rewritten from another process

      • eagleget_360security.tmp (PID: 772)

    • Creates a software uninstall entry

      • eagleget_360security.tmp (PID: 772)

    • Application launched itself

      • msiexec.exe (PID: 4616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:22 13:07:34+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 457728
InitializedDataSize: 1057280
UninitializedDataSize: -
EntryPoint: 0x53cd4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.6.0.1046
ProductVersionNumber: 6.6.0.1046
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: QIHU 360 SOFTWARE CO. LIMITED
FileDescription: 360 Total Security Online Installer
FileVersion: 6, 6, 0, 1046
InternalName: 360Installer
LegalCopyright: (C)Qihu 360 Software Co., Ltd. All rights reserved.
OriginalFileName: 360Installer.exe
ProductName: 360 Total Security Online Installer
ProductVersion: 6, 6, 0, 1046

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 22-Jan-2018 12:07:34
Detected languages:
  • English - United States
Debug artifacts:
  • C:\vmagent_new\bin\joblist\232270\out\Release\360Installer.pdb
CompanyName: QIHU 360 SOFTWARE CO. LIMITED
FileDescription: 360 Total Security Online Installer
FileVersion: 6, 6, 0, 1046
InternalName: 360Installer
LegalCopyright: (C)Qihu 360 Software Co., Ltd. All rights reserved.
OriginalFilename: 360Installer.exe
ProductName: 360 Total Security Online Installer
ProductVersion: 6, 6, 0, 1046

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 22-Jan-2018 12:07:34
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0006FA01
0x0006FC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.56914
.rdata
0x00071000
0x00015CE4
0x00015E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14339
.data
0x00087000
0x0000A5A0
0x00006800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.83506
.rsrc
0x00092000
0x000E5A5C
0x000E5C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.75793

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26275
1064
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.15558
270376
Latin 1 / Western European
English - United States
RT_ICON
3
5.05904
9640
Latin 1 / Western European
English - United States
RT_ICON
4
5.14388
4264
Latin 1 / Western European
English - United States
RT_ICON
5
5.26245
2440
Latin 1 / Western European
English - United States
RT_ICON
6
5.12872
1128
Latin 1 / Western European
English - United States
RT_ICON
7
4.16294
1384
Latin 1 / Western European
English - United States
RT_ICON
8
5.70608
1128
Latin 1 / Western European
English - United States
RT_ICON
9
3.36265
500
Latin 1 / Western European
English - United States
RT_STRING
10
3.49418
956
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
WS2_32.dll (delay-loaded)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
51
Malicious processes
30
Suspicious processes
7

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start 360ts_setup_us_adw_0002_6.6.0.1046.exe 360ts_setup.exe powersaver.exe no specs qhactivedefense.exe qhactivedefense.exe qhsafetray.exe qhwatchdog.exe no specs popwndlog.exe no specs Thumbnail Cache Out of Proc Server no specs qhwatchdog.exe no specs qhsafetray.exe no specs explorer.exe no specs qhsafemain.exe 360tsliveupd.exe promoutil.exe 360instantsetup.exe cefutil.exe cefutil.exe no specs wscreg.exe no specs liveupdate360.exe cefutil.exe no specs 360instantsetup.exe no specs eagleget_360security.exe eagleget_360security.tmp regsvr32.exe no specs Thumbnail Cache Out of Proc Server no specs regsvr32.exe no specs regsvr32.exe no specs cefutil.exe no specs cefutil.exe no specs 360deskana.exe no specs 360deskana.exe no specs searchfilterhost.exe no specs windanr.exe no specs searchprotocolhost.exe no specs gpupdate.exe no specs svchost.exe no specs explorer.exe no specs 360instantsetup.exe no specs lineinst_5.0.0.1380_is.exe searchprotocolhost.exe no specs lineappmgr.exe explorer.exe no specs 360instantsetup.exe no specs Thumbnail Cache Out of Proc Server no specs skypesetupfull_7.32.99.104_is.exe no specs svchost.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs 360ts_setup_us_adw_0002_6.6.0.1046.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
404"C:\Program Files\360\Total Security\Utils\cef\cefutil.exe" --type=renderer --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files\360\Total Security\Utils\cef\debug.log" --log-severity=disable --device-scale-factor=1 --num-raster-threads=2 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2788.2.794747304\1066790753" /prefetch:1C:\Program Files\360\Total Security\Utils\cef\cefutil.execefutil.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
CEF Utility Application
Exit code:
0
Version:
1, 0, 0, 1027
Modules
Images
c:\program files\360\total security\utils\cef\cefutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
504"C:\Program Files\360\Total Security\safemon\PopWndLog.exe" /cleantip=1C:\Program Files\360\Total Security\safemon\PopWndLog.exeQHSafeTray.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
AD Blocker
Exit code:
0
Version:
6, 1, 0, 1051
Modules
Images
c:\program files\360\total security\safemon\popwndlog.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
756"C:\Program Files\360\Total Security\PromoUtil.exe"C:\Program Files\360\Total Security\PromoUtil.exe
QHSafeMain.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
Promotion Utility Application
Exit code:
0
Version:
8, 6, 0, 1111
Modules
Images
c:\program files\360\total security\promoutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
772"C:\Users\admin\AppData\Local\Temp\is-MS6SD.tmp\eagleget_360security.tmp" /SL5="$300C4,7365378,173056,C:\Users\Public\Downloads\eagleget_360security.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-MS6SD.tmp\eagleget_360security.tmp
eagleget_360security.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ms6sd.tmp\eagleget_360security.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
844C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1084"C:\Program Files\360\Total Security\Utils\PowerSaver.exe" /flightsigningC:\Program Files\360\Total Security\Utils\PowerSaver.exe360TS_Setup.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
360安全卫士卸载清理模块
Exit code:
0
Version:
11.0.0.1081
Modules
Images
c:\program files\360\total security\utils\powersaver.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1124C:\Windows\system32\MsiExec.exe -Embedding 9FF476AD865CC7B7CF1585865957E90EC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1648"C:\Program Files\360\Total Security\safemon\QHWatchdog.exe" /installC:\Program Files\360\Total Security\safemon\QHWatchdog.exeQHSafeTray.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
360 Total Security
Exit code:
0
Version:
8,2,0,1010
Modules
Images
c:\program files\360\total security\safemon\qhwatchdog.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1788"C:\Program Files\360\Total Security\360TsLiveUpd.exe" /delay:30C:\Program Files\360\Total Security\360TsLiveUpd.exe
QHActiveDefense.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
360 Update Module
Exit code:
0
Version:
10,0,0,1046
Modules
Images
c:\program files\360\total security\360tsliveupd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
11 145
Read events
9 660
Write events
1 405
Delete events
80

Modification events

(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:APPSTARTING
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:ARROW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:CROSS
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HAND
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:HELP
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:IBEAM
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:NO
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZEALL
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENESW
Value:
%SystemRoot%\cursors\clearcur.cur
(PID) Process:(2152) windanr.exeKey:HKEY_CURRENT_USER\Control Panel\Cursors
Operation:writeName:SIZENS
Value:
%SystemRoot%\cursors\clearcur.cur
Executable files
1 300
Suspicious files
885
Text files
482
Unknown types
131

Dropped files

PID
Process
Filename
Type
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\{B5C1533C-EC0A-4cab-8560-F8C2E582A03C}.tmp
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\!@t4567.tmp.P2P
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\C__Users_admin_AppData_Local_Temp_!@t4567.tmp.mem
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\!@t4567.tmp.dir\setup.ini
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\360TS_Setup.exe.P2P
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\360TS_Setup.exe
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\C__Users_admin_AppData_Local_Temp_360TS_Setup.exe.mem
MD5:
SHA256:
3784360TS_Setup_US_ADW_0002_6.6.0.1046.exeC:\Users\admin\AppData\Local\Temp\C__Users_admin_AppData_Local_Temp_360TS_Setup.exe.trt
MD5:
SHA256:
3132360TS_Setup.exeC:\Users\admin\AppData\Local\Temp\360_install_20190922051926_1118796\writeable_test_1118796.dat
MD5:
SHA256:
3132360TS_Setup.exeC:\Users\admin\AppData\Local\Temp\360_install_20190922051926_1118796\temp_files\writeable_test_1118843.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
62
DNS requests
12
Threats
165

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.18:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.18:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_10.6.0.1210.exe
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
54.77.42.29:3478
st.p.360safe.com
Amazon.com, Inc.
IE
unknown
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
52.29.179.141:80
s.360safe.com
Amazon.com, Inc.
DE
suspicious
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
54.76.174.118:80
tr.p.360safe.com
Amazon.com, Inc.
IE
unknown
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
82.145.215.156:443
orion.ts.360.com
Opera Software AS
unknown
52.214.9.152:3478
Amazon.com, Inc.
IE
unknown
85.17.73.119:25847
LeaseWeb Netherlands B.V.
NL
unknown
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
5.254.23.114:80
iup.360safe.com
RO
malicious
178.22.170.119:15494
JSC Transtelecom
KZ
unknown
223.181.239.163:16282
Bharti Airtel Ltd. AS for GPRS Service
IN
unknown
187.193.143.226:10113
Uninet S.A. de C.V.
MX
unknown

DNS requests

Domain
IP
Reputation
st.p.360safe.com
  • 54.77.42.29
unknown
s.360safe.com
  • 52.29.179.141
  • 18.184.178.29
suspicious
iup.360safe.com
  • 5.254.23.114
malicious
orion.ts.360.com
  • 82.145.215.156
unknown
tr.p.360safe.com
  • 54.76.174.118
unknown
int.down.360safe.com
  • 104.192.108.18
  • 104.192.108.21
malicious
sd.p.360safe.com
  • 143.204.208.28
  • 143.204.208.220
  • 143.204.208.26
  • 143.204.208.95
whitelisted
www.360totalsecurity.com
  • 82.145.213.41
suspicious
subca.ocsp-certum.com
  • 151.139.236.246
whitelisted
wotrus-ovca.ocsp-certum.com
  • 151.139.236.246
whitelisted

Threats

PID
Process
Class
Message
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
3784
360TS_Setup_US_ADW_0002_6.6.0.1046.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2804
QHActiveDefense.exe
Potential Corporate Privacy Violation
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
3472
LiveUpdate360.exe
A Network Trojan was detected
ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe
3472
LiveUpdate360.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3472
LiveUpdate360.exe
A Network Trojan was detected
ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe
Process
Message
LineAppMgr.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
360TS_Setup_US_ADW_0002_6.6.0.1046.exe