File name:

installer.exe

Full analysis: https://app.any.run/tasks/796c1449-6198-40f7-9751-861d16e2d7bf
Verdict: Malicious activity
Analysis date: January 17, 2024, 12:21:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2774BFC277F577D0B1FF7AE800D2CC0C

SHA1:

A41BF06EC374678F21E5944D3BB24B78F30F1477

SHA256:

BB6BA6978E258A886D62D848F6F91D39E7E18B3F1B9572A3A048B07B390723B8

SSDEEP:

24576:0wGvIBKN5VI/EtUhUNka1zj1SqdAGFQZIxaC45UJoenV:BKNU/EtUuNNzjYq+ZIgL5UJoeV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • installer.exe (PID: 2256)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • installer.exe (PID: 2256)

    • Executable content was dropped or overwritten

      • installer.exe (PID: 2256)

    • Reads the Internet Settings

      • installer.exe (PID: 2256)

  • INFO

    • Checks supported languages

      • installer.exe (PID: 2256)

    • Reads the machine GUID from the registry

      • installer.exe (PID: 2256)

    • Checks proxy server information

      • installer.exe (PID: 2256)

    • Creates files or folders in the user directory

      • installer.exe (PID: 2256)

    • Reads the computer name

      • installer.exe (PID: 2256)

    • Create files in a temporary directory

      • installer.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:09 13:21:50+02:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 423424
InitializedDataSize: 1051648
UninitializedDataSize: -
EntryPoint: 0x4d263
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.6.0.1065
ProductVersionNumber: 6.6.0.1065
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Qihoo 360 Technology Co. Ltd.
FileDescription: 360 Total Security Online Installer
FileVersion: 6, 6, 0, 1065
InternalName: 360Installer
LegalCopyright: (C) Qihoo 360 Technology Co. Ltd., All rights reserved.
OriginalFileName: 360Installer.exe
ProductName: 360 Total Security Online Installer
ProductVersion: 6, 6, 0, 1065
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start installer.exe installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exeexplorer.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
360 Total Security Online Installer
Exit code:
3221226540
Version:
6, 6, 0, 1065
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
2256"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exe
explorer.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
360 Total Security Online Installer
Exit code:
0
Version:
6, 6, 0, 1065
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
668
Read events
647
Write events
21
Delete events
0

Modification events

(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
F87FFEA63F49DA01
(PID) Process:(2256) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecision
Value:
0
Executable files
2
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2256installer.exeC:\Users\admin\AppData\Local\Temp\{B91549DB-8175-4134-BC00-2A3BE43CA30B}.tmp\360P2SP.dllexecutable
MD5:FC1796ADD9491EE757E74E65CEDD6AE7
SHA256:BF1B96F5B56BE51E24D6314BC7EC25F1BDBA2435F4DFC5BE87DE164FE5DE9E60
2256installer.exeC:\Users\admin\AppData\Local\Temp\!@tFDC9.tmpcompressed
MD5:2C523ACC54088D19DDF454BDA954BEEF
SHA256:B1A7726DFC4A90133215602B504C3939605B0015C00CC7B426378EDFCDDCC3DD
2256installer.exeC:\Users\admin\AppData\Local\Temp\{3ED8C644-DF16-4715-9D50-28E8712644AB}.tmpcompressed
MD5:7D883E7A121DD2A690E3A04BB196DA6F
SHA256:9A54E77EDD072495D1A9C0BBA781F14C63F344EAAFA4F466D3DE770979691410
2256installer.exeC:\Users\admin\AppData\Local\Temp\!@tFDC9.tmp.P2Pcompressed
MD5:2C523ACC54088D19DDF454BDA954BEEF
SHA256:B1A7726DFC4A90133215602B504C3939605B0015C00CC7B426378EDFCDDCC3DD
2256installer.exeC:\Users\admin\AppData\Local\Temp\C__Users_admin_AppData_Local_Temp_!@tFDC9.tmp.membinary
MD5:F82E98B1F591A5BADBABD9B2C7CC2A49
SHA256:71A048D977A4C950496848301128EB57BF5B387892B554D117135671ED75EDC9
2256installer.exeC:\Users\admin\AppData\Local\Temp\!@tFDC9.tmp.dir\setup.initext
MD5:4026B676C1FDA3313AB793CC703A7DE7
SHA256:A6AF86B7815469DC3E043A6F13875C0F73101741D3A55BAFEEDAA86B988C5799
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
29
DNS requests
6
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2256
installer.exe
GET
200
52.29.179.141:80
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1065&pid=WW.ADBcash.CPI202308&os=6.1&mid=b8c075ec50c0ffb37ec9c97cc27794fb&state=153
unknown
unknown
2256
installer.exe
GET
200
52.29.179.141:80
http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIdEqR%2FgABAAAOtfBIlrfeSnqY0%2BGiMrOtsXtwfHN3CcyKIw3O9PGVtZuiBlUJO3NWG92jcVQXH%2BlAcT84Ttqfb1TbDaiBadNapbeaa05rnv42fkhoi%2Fa7I9Sc1fFWQE4e4BntzwcUI2wjTMd%2FzDp%2B7nFmoVnC17aegZZzviWwgywNhlikbkfjaV245lgZMxtisvKGF6gU4LU5IRZCdSIfpNB%2BiNi4tLyn9rdKmgJV04SKLGDQ1Ozgq%2FnT2e9usvq75v13Th5HIcnpKytzm0UCJRoeK77loDxJAG2mUtvy5zjHCOmOBfuCk36HsjoyImpFaAWPVaYcRKeKcxQa3gzHHvvS6qaDHAWE0ntsbVntQ%2Btu3uywVys2UzjlTeG9BnFEqNQRPMGUxma4lFWq32GRfBHp37eExDig
unknown
unknown
2256
installer.exe
GET
200
151.236.96.167:80
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
unknown
compressed
655 b
unknown
2256
installer.exe
GET
200
52.29.179.141:80
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=b8c075ec50c0ffb37ec9c97cc27794fb&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=655&tdl=655&tds=655&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|655,P2PS|0,PDMode|2&tfl=655&tp=t&tst=1&ttdl=655&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
unknown
unknown
2256
installer.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1073.exe
unknown
unknown
2256
installer.exe
GET
104.192.108.20:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1073.exe
unknown
unknown
2256
installer.exe
GET
104.192.108.20:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1073.exe
unknown
unknown
2256
installer.exe
GET
104.192.108.20:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1073.exe
unknown
unknown
2256
installer.exe
GET
104.192.108.17:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1073.exe
unknown
unknown
2256
installer.exe
GET
200
13.32.23.130:80
http://sd.p.360safe.com/6F79A56EEE9CC4E090829186AED7661C24328656.trt
unknown
binary
15.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2256
installer.exe
54.77.42.29:3478
st.p.360safe.com
unknown
2256
installer.exe
54.76.174.118:80
tr.p.360safe.com
unknown
2256
installer.exe
52.29.179.141:80
s.360safe.com
AMAZON-02
DE
unknown
2256
installer.exe
151.236.96.167:80
iup.360safe.com
CDNvideo LLC
RU
unknown
2256
installer.exe
104.192.108.21:80
int.down.360safe.com
Beijing Qihu Technology Company Limited
US
unknown
2256
installer.exe
104.192.108.20:80
int.down.360safe.com
Beijing Qihu Technology Company Limited
US
unknown
2256
installer.exe
104.192.108.17:80
int.down.360safe.com
Beijing Qihu Technology Company Limited
US
unknown

DNS requests

Domain
IP
Reputation
st.p.360safe.com
  • 54.77.42.29
unknown
s.360safe.com
  • 52.29.179.141
  • 18.184.178.29
unknown
iup.360safe.com
  • 151.236.96.167
unknown
tr.p.360safe.com
  • 54.76.174.118
unknown
int.down.360safe.com
  • 104.192.108.17
  • 104.192.108.20
  • 104.192.108.21
unknown
sd.p.360safe.com
  • 13.32.23.130
  • 13.32.23.79
  • 13.32.23.58
  • 13.32.23.19
whitelisted

Threats

PID
Process
Class
Message
2256
installer.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
2256
installer.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
2256
installer.exe
Generic Protocol Command Decode
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
2256
installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
installer.exe