File name:

360safe_cq.exe

Full analysis: https://app.any.run/tasks/ebcf099a-b37c-4fce-bdbe-125e52880c81
Verdict: Malicious activity
Analysis date: May 08, 2020, 13:20:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4870239F217B1FB7194EB05E70F1BD5C

SHA1:

8A51CB7113C4AD7B391EDC6194C58E2CEAB4D5FA

SHA256:

B461BD262778834AF7E326F1C5CC4FE5FD134A2B1BA32332D4A5DCC4386EB595

SSDEEP:

49152:jxwpiJmTgXkuvib1TogsPuqU4b6KzxzYe0:1JggXkuvv3U4u6xzYf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • setup_12.0.0.2002s.exe (PID: 3820)
      • explorer.exe (PID: 372)
      • 360safe_se.exe (PID: 3824)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • 360rp.exe (PID: 576)
      • setup.exe (PID: 2896)
      • 360tray.exe (PID: 3896)
      • 360se.exe (PID: 3328)

    • Changes the autorun value in the registry

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • setup.exe (PID: 2896)

    • Loads dropped or rewritten executable

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360safe_cq.exe (PID: 2116)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • dep360.exe (PID: 2892)
      • 360sd.exe (PID: 3456)
      • dep360.exe (PID: 3544)
      • 360rp.exe (PID: 576)
      • 360tray.exe (PID: 3896)
      • DllHost.exe (PID: 4036)
      • DllHost.exe (PID: 2904)
      • DllHost.exe (PID: 1832)
      • setup.exe (PID: 2896)
      • 360SecLogonHelper.exe (PID: 3860)
      • zhudongfangyu.exe (PID: 1876)
      • PowerSaver.exe (PID: 4052)
      • 360IA.exe (PID: 968)
      • PopWndTracker.exe (PID: 280)
      • SoftMgrLite.exe (PID: 1248)
      • setup.exe (PID: 2864)
      • SearchProtocolHost.exe (PID: 2472)
      • 360bdoctor.exe (PID: 2976)
      • 360se.exe (PID: 3328)
      • explorer.exe (PID: 372)
      • wdswfsafe.exe (PID: 2548)
      • services.exe (PID: 472)
      • svchost.exe (PID: 860)
      • 360tray.exe (PID: 3128)
      • wmiprvse.exe (PID: 2648)
      • 360se.exe (PID: 2716)
      • 360entcall.exe (PID: 608)
      • 360se.exe (PID: 2132)
      • 360se.exe (PID: 252)
      • SoftupNotify.exe (PID: 4080)
      • LiveUpdate360.exe (PID: 2776)
      • zhudongfangyu.exe (PID: 772)
      • 360se.exe (PID: 2616)
      • zhudongfangyu.exe (PID: 4988)

    • Application was dropped or rewritten from another process

      • 360tray.exe (PID: 3896)
      • 360SecLogonHelper.exe (PID: 3860)
      • 360sd.exe (PID: 3456)
      • 360rp.exe (PID: 576)
      • setup.exe (PID: 2896)
      • WscControl.exe (PID: 2692)
      • WscControl.exe (PID: 3356)
      • PowerSaver.exe (PID: 4052)
      • PopWndTracker.exe (PID: 280)
      • PowerSaver.exe (PID: 3328)
      • setup.exe (PID: 2864)
      • 360IA.exe (PID: 968)
      • SoftMgrLite.exe (PID: 1248)
      • WscReg.exe (PID: 3376)
      • 360bdoctor.exe (PID: 2976)
      • zhudongfangyu.exe (PID: 1876)
      • 360se.exe (PID: 3328)
      • wdswfsafe.exe (PID: 2548)
      • 360tray.exe (PID: 3128)
      • 360se.exe (PID: 2716)
      • 360entcall.exe (PID: 608)
      • 360se.exe (PID: 2132)
      • 360se.exe (PID: 252)
      • SoftupNotify.exe (PID: 4080)
      • 360se.exe (PID: 2616)
      • LiveUpdate360.exe (PID: 2776)
      • zhudongfangyu.exe (PID: 772)
      • 360bdoctor.exe (PID: 2852)
      • 360se.exe (PID: 3652)
      • zhudongfangyu.exe (PID: 4988)
      • dep360.exe (PID: 2892)
      • dep360.exe (PID: 3544)

    • Changes settings of System certificates

      • PowerSaver.exe (PID: 4052)
      • 360rp.exe (PID: 576)
      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360se.exe (PID: 3328)
      • 360tray.exe (PID: 3896)

    • Loads the Task Scheduler COM API

      • 360tray.exe (PID: 3896)

    • Loads the Task Scheduler DLL interface

      • 360tray.exe (PID: 3896)

    • Registers / Runs the DLL via REGSVR32.EXE

      • SoftupNotify.exe (PID: 4080)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • 360safe_cq.exe (PID: 2116)
      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • 360tray.exe (PID: 3896)
      • setup.exe (PID: 2896)
      • 360bdoctor.exe (PID: 2976)
      • 360se.exe (PID: 3328)

    • Low-level read access rights to disk partition

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360safe_cq.exe (PID: 2116)
      • 360tray.exe (PID: 3896)
      • 360SecLogonHelper.exe (PID: 3860)
      • 360rp.exe (PID: 576)
      • setup.exe (PID: 2896)
      • 360se.exe (PID: 3328)
      • wdswfsafe.exe (PID: 2548)
      • 360tray.exe (PID: 3128)
      • zhudongfangyu.exe (PID: 4988)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • setup_12.0.0.2002s.exe (PID: 3820)

    • Creates files in the user directory

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360rp.exe (PID: 576)
      • setup.exe (PID: 2896)
      • 360tray.exe (PID: 3896)
      • SoftMgrLite.exe (PID: 1248)
      • setup.exe (PID: 2864)
      • 360se.exe (PID: 3328)
      • wdswfsafe.exe (PID: 2548)
      • 360se.exe (PID: 2132)
      • LiveUpdate360.exe (PID: 2776)

    • Creates a software uninstall entry

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • setup.exe (PID: 2896)

    • Creates files in the Windows directory

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360tray.exe (PID: 3896)
      • 360rp.exe (PID: 576)

    • Creates files in the driver directory

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360tray.exe (PID: 3896)
      • 360rp.exe (PID: 576)

    • Creates or modifies windows services

      • setup_12.0.0.2002s.exe (PID: 3820)
      • services.exe (PID: 472)
      • 360tray.exe (PID: 3896)
      • zhudongfangyu.exe (PID: 1876)
      • 360rp.exe (PID: 576)

    • Modifies the open verb of a shell class

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360rp.exe (PID: 576)

    • Executable content was dropped or overwritten

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • 360tray.exe (PID: 3896)
      • 360safe_se.exe (PID: 3824)
      • 360rp.exe (PID: 576)
      • setup.exe (PID: 2896)
      • 360safe_cq.exe (PID: 2116)
      • 360bdoctor.exe (PID: 2976)
      • 360se.exe (PID: 3328)

    • Creates COM task schedule object

      • 360sd_5.0.0.8140.exe (PID: 3984)
      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360tray.exe (PID: 3896)

    • Creates files in the program directory

      • PopWndTracker.exe (PID: 280)
      • 360sd.exe (PID: 3456)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • 360rp.exe (PID: 576)
      • 360tray.exe (PID: 3896)
      • SoftMgrLite.exe (PID: 1248)
      • 360entcall.exe (PID: 608)
      • SoftupNotify.exe (PID: 4080)
      • LiveUpdate360.exe (PID: 2776)
      • zhudongfangyu.exe (PID: 4988)
      • setup_12.0.0.2002s.exe (PID: 3820)

    • Removes files from Windows directory

      • 360rp.exe (PID: 576)

    • Adds / modifies Windows certificates

      • 360rp.exe (PID: 576)
      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360se.exe (PID: 3328)
      • 360tray.exe (PID: 3896)

    • Reads the cookies of Google Chrome

      • setup_12.0.0.2002s.exe (PID: 3820)

    • Reads the BIOS version

      • 360tray.exe (PID: 3896)

    • Searches for installed software

      • 360rp.exe (PID: 576)

    • Starts itself from another location

      • setup.exe (PID: 2896)

    • Application launched itself

      • 360se.exe (PID: 3328)

  • INFO

    • Dropped object may contain TOR URL's

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • setup.exe (PID: 2896)

    • Dropped object may contain Bitcoin addresses

      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360sd_5.0.0.8140.exe (PID: 3984)
      • setup.exe (PID: 2896)
      • 360tray.exe (PID: 3896)
      • 360se.exe (PID: 3328)
      • 360rp.exe (PID: 576)

    • Reads settings of System Certificates

      • 360rp.exe (PID: 576)
      • setup_12.0.0.2002s.exe (PID: 3820)
      • 360tray.exe (PID: 3896)
      • 360se.exe (PID: 3328)

    • Reads the hosts file

      • 360se.exe (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:07:18 10:41:11+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 772096
InitializedDataSize: 2096128
UninitializedDataSize: -
EntryPoint: 0x9db3a
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.2.0.2168
ProductVersionNumber: 2.2.0.2168
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: -
CompanyName: 360.cn
FileDescription: 360安全卫士在线安装程序
FileVersion: 2, 2, 0, 2168
InternalName: 360Inst
LegalCopyright: Copyright (C) 360.cn Inc.All Rights Reserve
LegalTrademarks: -
OriginalFileName: 360Inst.exe
PrivateBuild: -
ProductName: 360安全卫士在线安装程序
ProductVersion: 2, 2, 0, 2168
SpecialBuild: -

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Jul-2018 08:41:11
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • C:\vmagent_new\bin\joblist\275620\out\Release\360Inst.pdb
Comments: -
CompanyName: 360.cn
FileDescription: 360安全卫士在线安装程序
FileVersion: 2, 2, 0, 2168
InternalName: 360Inst
LegalCopyright: Copyright (C) 360.cn Inc.All Rights Reserve
LegalTrademarks: -
OriginalFilename: 360Inst.exe
PrivateBuild: -
ProductName: 360安全卫士在线安装程序
ProductVersion: 2, 2, 0, 2168
SpecialBuild: -

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Jul-2018 08:41:11
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000BC6BC
0x000BC800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.68692
.rdata
0x000BE000
0x00026C56
0x00026E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.84147
.data
0x000E5000
0x000540C0
0x00006E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.66676
.rsrc
0x0013A000
0x001781C8
0x00178200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.35775
.reloc
0x002B3000
0x0000C8DE
0x0000CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.4504

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13012
831
UNKNOWN
Chinese - PRC
RT_MANIFEST
2
5.86453
4264
UNKNOWN
Chinese - PRC
RT_ICON
3
5.65385
2440
UNKNOWN
Chinese - PRC
RT_ICON
4
5.9716
1128
UNKNOWN
Chinese - PRC
RT_ICON
5
4.16294
1384
UNKNOWN
Chinese - PRC
RT_ICON
6
5.70608
1128
UNKNOWN
Chinese - PRC
RT_ICON
9
5.33432
354
UNKNOWN
Chinese - PRC
RT_STRING
10
5.66377
366
UNKNOWN
Chinese - PRC
RT_STRING
11
5.82648
362
UNKNOWN
Chinese - PRC
RT_STRING
12
6.42933
622
UNKNOWN
Chinese - PRC
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
MSIMG32.dll
NETAPI32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
46
Malicious processes
23
Suspicious processes
10

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start 360safe_cq.exe setup_12.0.0.2002s.exe 360sd_5.0.0.8140.exe dep360.exe no specs 360tray.exe 360seclogonhelper.exe popwndtracker.exe no specs zhudongfangyu.exe no specs 360sd.exe no specs dep360.exe no specs 360rp.exe 360safe_se.exe setup.exe powersaver.exe no specs powersaver.exe no specs wsccontrol.exe no specs wsccontrol.exe no specs Thumbnail Cache Out of Proc Server no specs Thumbnail Cache Out of Proc Server no specs Thumbnail Cache Out of Proc Server no specs setup.exe no specs 360ia.exe no specs softmgrlite.exe 360bdoctor.exe wscreg.exe no specs explorer.exe 360se.exe searchprotocolhost.exe no specs wdswfsafe.exe no specs 360tray.exe no specs 360se.exe no specs services.exe no specs svchost.exe 360entcall.exe no specs 360se.exe wmiprvse.exe no specs 360se.exe no specs softupnotify.exe liveupdate360.exe 360se.exe no specs zhudongfangyu.exe no specs regsvr32.exe 360bdoctor.exe no specs 360se.exe no specs zhudongfangyu.exe no specs 360safe_cq.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Users\admin\AppData\Roaming\360se6\Application\360se.exe" --type=renderer --disable-direct-write --primordial-pipe-token=A83088A0D9D698C022AF01318F1CB21A --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --service-request-channel-token=A83088A0D9D698C022AF01318F1CB21A --mojo-platform-channel-handle=1776 /prefetch:1 /prefetch:673131151C:\Users\admin\AppData\Roaming\360se6\Application\360se.exe360se.exe
User:
admin
Company:
360.cn
Integrity Level:
LOW
Description:
360安全浏览器
Exit code:
0
Version:
9.1.0.410
Modules
Images
c:\users\admin\appdata\roaming\360se6\application\360se.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
280"C:\Program Files\360\360Safe\safemon\PopWndTracker.exe" /queryC:\Program Files\360\360Safe\safemon\PopWndTracker.exesetup_12.0.0.2002s.exe
User:
admin
Company:
北京欣和智成科技有限公司
Integrity Level:
HIGH
Description:
弹窗过滤器
Exit code:
3221225547
Version:
6, 1, 0, 1110
Modules
Images
c:\program files\360\360safe\safemon\popwndtracker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
472C:\Windows\system32\services.exeC:\Windows\System32\services.exewininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Services and Controller app
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
576"C:\Program Files\360\360sd\360rp.exe" /runC:\Program Files\360\360sd\360rp.exe
360sd.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
360杀毒 实时监控
Exit code:
0
Version:
5, 0, 0, 5076
Modules
Images
c:\program files\360\360sd\360rp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
608"C:\Program Files\360\360Safe\360entcall.exe" /setupentC:\Program Files\360\360Safe\360entcall.exesetup_12.0.0.2002s.exe
User:
admin
Company:
360互联网安全中心
Integrity Level:
HIGH
Description:
360 客户端组件
Exit code:
0
Version:
2, 0, 0, 2002
Modules
Images
c:\program files\360\360safe\360entcall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
772"C:\Program Files\360\360Safe\deepscan\zhudongfangyu.exe" /StartC:\Program Files\360\360Safe\deepscan\zhudongfangyu.exesetup_12.0.0.2002s.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
360主动防御服务模块
Exit code:
0
Version:
3, 2, 2, 2115
Modules
Images
c:\program files\360\360safe\deepscan\zhudongfangyu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
860C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windanr.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
968"C:\Program Files\360\360Safe\Utils\360IA.exe" /src=probe /dpi=96C:\Program Files\360\360Safe\Utils\360IA.exe360tray.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
360安全卫士 智能助手模块
Exit code:
0
Version:
12.0.0.1050
Modules
Images
c:\program files\360\360safe\utils\360ia.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1248"C:\Program Files\360\360Safe\SoftMgr\SML\SoftMgrLite.exe" C:\Program Files\360\360Safe\SoftMgr\SML\SoftMgrLite.exe
360tray.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
360软件小助手
Exit code:
0
Version:
3, 1, 0, 1995
Modules
Images
c:\program files\360\360safe\softmgr\sml\softmgrlite.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
15 725
Read events
7 922
Write events
7 714
Delete events
89

Modification events

(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\Liveup
Operation:writeName:mid
Value:
cfe1ce9b8f5123cc37f394accff90c49e593c1ef62585eeea14b615c6b4efcbe
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\LiveUpdate360
Operation:writeName:proxytype
Value:
1
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\360safe_cq_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\360safe_cq_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\360safe_cq_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\360safe_cq_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\360safe_cq_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\360safe_cq_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\LiveUpdate360
Operation:writeName:Nat
Value:
3
(PID) Process:(2116) 360safe_cq.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\LiveUpdate360
Operation:writeName:NatUpdate
Value:
1588944036
Executable files
1 180
Suspicious files
1 254
Text files
1 555
Unknown types
146

Dropped files

PID
Process
Filename
Type
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\IELog.jpg
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\safe_icon.bmp
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\safe_logo.jpg
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\safe_title.JPG
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\sd_icon.bmp
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\sd_logo.jpg
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\!@t844.tmp.dir\setup.ini
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\360844.tmp
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\setup_12.0.0.2002s.exe.P2P
MD5:
SHA256:
2116360safe_cq.exeC:\Users\admin\AppData\Local\Temp\setup_12.0.0.2002s.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
109
TCP/UDP connections
103
DNS requests
21
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2116
360safe_cq.exe
GET
104.192.108.18:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
104.192.108.17:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
104.192.108.17:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
104.192.108.17:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
104.192.108.17:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
104.192.108.18:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
200
1.192.194.212:80
http://ini.update.360safe.com/instcomp.htm?soft=323&status=24&mid=cfe1ce9b8f5123cc37f394accff90c49&from=zz_cq&ver=2.2.0.2168&count=0&usetime=3?soft=323&status=24&mid=cfe1ce9b8f5123cc37f394accff90c49&from=zz_cq&ver=2.2.0.2168&count=0&usetime=3&gslb=1
CN
suspicious
2116
360safe_cq.exe
GET
104.192.108.18:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
2116
360safe_cq.exe
GET
200
1.192.194.212:80
http://ini.update.360safe.com/instcomp.htm?soft=323&status=6&mid=cfe1ce9b8f5123cc37f394accff90c49&from=zz_cq&ver=2.2.0.2168&count=0&new=1?soft=323&status=6&mid=cfe1ce9b8f5123cc37f394accff90c49&from=zz_cq&ver=2.2.0.2168&count=0&new=1&gslb=1
CN
suspicious
2116
360safe_cq.exe
GET
104.192.108.17:80
http://dl.360safe.com/setup_12.0.0.2002s.exe
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2116
360safe_cq.exe
1.192.136.136:3478
st.p.360.cn
No.31,Jin-rong Street
CN
unknown
185.217.117.152:25900
GB
unknown
1.192.136.137:3478
No.31,Jin-rong Street
CN
unknown
2116
360safe_cq.exe
1.192.136.133:80
agt.p.360.cn
No.31,Jin-rong Street
CN
unknown
2116
360safe_cq.exe
180.163.235.152:80
China Telecom (Group)
CN
unknown
2116
360safe_cq.exe
104.192.108.18:80
pinst.360.cn
Beijing Qihu Technology Company Limited
US
suspicious
2116
360safe_cq.exe
101.199.97.243:80
update.360safe.com
IDC, China Telecommunications Corporation
CN
unknown
2116
360safe_cq.exe
1.192.194.212:80
ini.update.360safe.com
No.31,Jin-rong Street
CN
unknown
2116
360safe_cq.exe
104.192.108.17:80
dl.360safe.com
Beijing Qihu Technology Company Limited
US
malicious
2116
360safe_cq.exe
120.52.140.46:80
sd.p.360.cn
China Unicom IP network
CN
suspicious

DNS requests

Domain
IP
Reputation
st.p.360.cn
  • 1.192.136.170
  • 1.192.136.136
whitelisted
pinst.360.cn
  • 104.192.108.18
  • 104.192.108.21
whitelisted
agt.p.360.cn
  • 1.192.136.132
  • 1.192.136.133
whitelisted
tr.p.360.cn
  • 180.163.229.168
  • 180.163.230.245
  • 180.163.230.244
  • 180.163.229.167
  • 1.192.136.132
  • 1.192.136.133
  • 1.192.136.134
  • 1.192.136.135
suspicious
down.360safe.com
  • 104.192.108.18
  • 104.192.108.21
malicious
update.360safe.com
  • 101.199.97.243
  • 171.8.167.71
  • 180.163.242.64
malicious
ini.update.360safe.com
  • 1.192.194.212
  • 36.110.232.70
suspicious
dl.360safe.com
  • 104.192.108.17
  • 104.192.108.18
  • 104.192.108.21
whitelisted
agd.p.360.cn
  • 119.188.66.33
whitelisted
sd.p.360.cn
  • 120.52.140.46
  • 120.52.140.45
  • 120.52.140.33
  • 120.52.140.32
  • 120.52.140.31
  • 120.52.140.30
  • 120.52.140.48
  • 120.52.140.47
whitelisted

Threats

PID
Process
Class
Message
2116
360safe_cq.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
2116
360safe_cq.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
2116
360safe_cq.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
2116
360safe_cq.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2116
360safe_cq.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2116
360safe_cq.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
SoftupNotify.exe
/install
regsvr32.exe
360softmgr.shellext.SafeExistThread leave
regsvr32.exe
360softmgr.shellext.SafeExistThread leave
360rp.exe
CreateFile fail
explorer.exe
360softmgr.shellext.CommandMonitor loop, InterlockedCompareExchange(&lThreadExitFlag_CommandMonitor, 1, 1) -> 0
explorer.exe
360softmgr.shellext.CommandMonitor loop, InterlockedCompareExchange(&lThreadExitFlag_CommandMonitor, 1, 1) -> 0
explorer.exe
OpenFileMapping lasterror:0
explorer.exe
startmenuUnpin
explorer.exe
C:\Program Files\360\360Safe\SoftMgr\??????????.lnk
explorer.exe
open Global\360SoftMgr.ShellExt.Share
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
360safe_cq.exe