Malware analysis edge-cis.exe Malicious activity | ANY.RUN

Add for printing

File name:	edge-cis.exe
Full analysis:	https://app.any.run/tasks/9449c133-e3ce-4256-8871-13926561a7b2
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 19, 2025, 06:08:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	inno installer delphi loader adware stealer arch-scr arch-html
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:	05229FAF10CCA0D4BC5AB297D845B5F5
SHA1:	379A7EC986707DD230D87F7B07B6D9BD6474D001
SHA256:	8FD248D06BF0F14AE1FF27963F51B86BDA17C8E4CD9C7575826EB47CB757A173
SSDEEP:	98304:/bUWxQTRNrd9NoDY2tOXruW+565qWKgBHhd4z329rnFqnIbi8ho6EJiAwdE2IsxA:v0dFU0J9ADRlBH4HAXjnaoj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - lite_installer.exe (PID: 6044)
  - seederexe.exe (PID: 5556)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5360)
  - setup.exe (PID: 5756)
  - csrss.exe (PID: 5824)
  - explorer.exe (PID: 4724)
  - explorer.exe (PID: 7328)
  - clidmgr.exe (PID: 5048)
  - csrss.exe (PID: 532)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 7268)
  - clidmgr.exe (PID: 7616)
  - browser.exe (PID: 5308)
  - browser.exe (PID: 6416)
  - browser.exe (PID: 3176)
  - browser.exe (PID: 7860)
  - browser.exe (PID: 6148)
  - browser.exe (PID: 7812)
  - browser.exe (PID: 7896)
  - browser.exe (PID: 8036)
  - browser.exe (PID: 6244)
  - browser.exe (PID: 6728)
  - browser.exe (PID: 8040)
  - browser.exe (PID: 7624)
  - browser.exe (PID: 7892)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 6828)
  - browser.exe (PID: 5136)
  - browser.exe (PID: 7592)
  - browser.exe (PID: 7352)
  - browser.exe (PID: 7244)
  - browser.exe (PID: 7560)
  - browser.exe (PID: 7804)
  - browser.exe (PID: 5228)
  - browser.exe (PID: 7264)
  - browser.exe (PID: 1452)
  - browser.exe (PID: 6660)
  - browser.exe (PID: 7284)
  - browser.exe (PID: 684)
  - browser.exe (PID: 7964)
  - browser.exe (PID: 7968)
  - browser.exe (PID: 7960)
  - browser.exe (PID: 7180)
  - browser.exe (PID: 7272)
  - browser.exe (PID: 1196)
  - browser.exe (PID: 3008)
  - browser.exe (PID: 672)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 4464)
  - browser.exe (PID: 664)
  - browser.exe (PID: 7452)
  - browser.exe (PID: 7224)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 744)
  - browser.exe (PID: 6248)
  - browser.exe (PID: 7964)
  - browser.exe (PID: 7564)
  - browser.exe (PID: 5008)
  - browser.exe (PID: 7348)
  - browser.exe (PID: 6228)
  - browser.exe (PID: 6908)
  - browser.exe (PID: 3304)
  - browser.exe (PID: 3804)
  - browser.exe (PID: 776)
  - regsvr32.exe (PID: 7372)
  - browser.exe (PID: 4884)
  - browser.exe (PID: 7296)
  - WscReg.exe (PID: 864)
  - WscReg.exe (PID: 472)
  - EaInstHelper64.exe (PID: 4220)
  - PowerSaver.exe (PID: 4376)
  - QHActiveDefense.exe (PID: 6940)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 4996)
  - QHSafeTray.exe (PID: 2516)
  - PopWndLog.exe (PID: 5200)
  - PopWndLog.exe (PID: 5596)
  - regsvr32.exe (PID: 8008)
  - KB931125-rootsupd.exe (PID: 7476)
  - QHSafeTray.exe (PID: 7488)
  - edge-cis.tmp (PID: 6004)
  - regsvr32.exe (PID: 5484)
  - WscReg.exe (PID: 5180)
  - WscReg.exe (PID: 6876)
  - regsvr32.exe (PID: 2028)
  - browser.exe (PID: 908)
  - browser.exe (PID: 3708)
- Steals credentials from Web Browsers
  - seederexe.exe (PID: 5556)
  - browser.exe (PID: 7536)
- ADWARE has been detected (SURICATA)
  - edge-cis.tmp (PID: 6004)
- Changes the autorun value in the registry
  - browser.exe (PID: 7536)
  - 360TS_Setup.exe (PID: 8120)
  - QHActiveDefense.exe (PID: 7708)
  - KB931125-rootsupd.exe (PID: 7476)
- Registers / Runs the DLL via REGSVR32.EXE
  - 360TS_Setup.exe (PID: 8120)
  - QHSafeTray.exe (PID: 2516)
  - QHActiveDefense.exe (PID: 7708)
- Executing a file with an untrusted certificate
  - EaInstHelper64.exe (PID: 4220)
  - PowerSaver.exe (PID: 4376)
  - QHWatchdog.exe (PID: 5508)
  - QHWatchdog.exe (PID: 2096)
  - KB931125-rootsupd.exe (PID: 7476)
  - QHToasts.exe (PID: 808)
- Runs injected code in another process
  - NgScHx_u_yH.exe (PID: 3708)
  - NgScHx_u_yH.exe (PID: 800)
  - NgScHx_u_yH.exe (PID: 4728)
  - NgScHx_u_yH.exe (PID: 980)
- Application was injected by another process
  - explorer.exe (PID: 5492)
SUSPICIOUS
- Executable content was dropped or overwritten
  - edge-cis.exe (PID: 7052)
  - edge-cis.exe (PID: 5736)
  - edge-cis.tmp (PID: 6004)
  - downloader.exe (PID: 5364)
  - MicrosoftEdgeSetup.exe (PID: 5800)
  - lite_installer.exe (PID: 6044)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - Yandex.exe (PID: 7536)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
  - yb31AC.tmp (PID: 7216)
  - setup.exe (PID: 5756)
  - browser.exe (PID: 7180)
  - QHActiveDefense.exe (PID: 6940)
  - EaInstHelper64.exe (PID: 4220)
  - KB931125-rootsupd.exe (PID: 7476)
  - QHActiveDefense.exe (PID: 7708)
- Reads the Windows owner or organization settings
  - edge-cis.tmp (PID: 6004)
  - msiexec.exe (PID: 6824)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeSetup.exe (PID: 5800)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - YandexPackSetup.exe (PID: 5360)
  - updroots.exe (PID: 7372)
  - updroots.exe (PID: 3124)
  - updroots.exe (PID: 5364)
  - updroots.exe (PID: 7100)
- Process drops legitimate windows executable
  - edge-cis.tmp (PID: 6004)
  - MicrosoftEdgeSetup.exe (PID: 5800)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - downloader.exe (PID: 5364)
  - 360TS_Setup.exe (PID: 8120)
  - KB931125-rootsupd.exe (PID: 7476)
- Reads security settings of Internet Explorer
  - edge-cis.tmp (PID: 7020)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - downloader.exe (PID: 5364)
  - lite_installer.exe (PID: 6044)
  - edge-cis.tmp (PID: 6004)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - explorer.exe (PID: 7580)
  - Yandex.exe (PID: 7536)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - QHSafeTray.exe (PID: 2516)
  - PopWndLog.exe (PID: 5200)
  - PopWndLog.exe (PID: 5596)
  - QHActiveDefense.exe (PID: 7708)
- Searches for installed software
  - edge-cis.tmp (PID: 6004)
  - setup.exe (PID: 5756)
  - QHSafeTray.exe (PID: 2516)
- Disables SEHOP
  - MicrosoftEdgeUpdate.exe (PID: 5956)
- There is functionality for taking screenshot (YARA)
  - edge-cis.tmp (PID: 6004)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
- Process requests binary or script from the Internet
  - downloader.exe (PID: 5364)
  - lite_installer.exe (PID: 6044)
  - edge-cis.tmp (PID: 6004)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - 360TS_Setup.exe (PID: 8120)
- Adds/modifies Windows certificates
  - downloader.exe (PID: 5364)
  - PowerSaver.exe (PID: 4376)
  - WscReg.exe (PID: 472)
  - updroots.exe (PID: 7372)
  - updroots.exe (PID: 5364)
  - updroots.exe (PID: 3124)
  - QHActiveDefense.exe (PID: 7708)
  - 360TS_Setup.exe (PID: 8120)
- Application launched itself
  - downloader.exe (PID: 5364)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 7964)
  - QHSafeTray.exe (PID: 2516)
  - PopWndLog.exe (PID: 5200)
- Potential Corporate Privacy Violation
  - downloader.exe (PID: 5364)
  - lite_installer.exe (PID: 6044)
  - edge-cis.tmp (PID: 6004)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
- Reads Mozilla Firefox installation path
  - seederexe.exe (PID: 5556)
  - browser.exe (PID: 7536)
- Access to an unwanted program domain was detected
  - edge-cis.tmp (PID: 6004)
- Changes the title of the Internet Explorer window
  - seederexe.exe (PID: 5556)
- Changes the Home page of Internet Explorer
  - seederexe.exe (PID: 5556)
- The process creates files with name similar to system file names
  - Yandex.exe (PID: 7536)
  - setup.exe (PID: 5756)
- Starts itself from another location
  - Yandex.exe (PID: 7536)
  - 360TS_Setup.exe (PID: 8068)
  - setup.exe (PID: 5756)
- Creates a software uninstall entry
  - Yandex.exe (PID: 7536)
  - setup.exe (PID: 5756)
  - 360TS_Setup.exe (PID: 8120)
- Creates file in the systems drive root
  - 360TS_Setup.exe (PID: 8120)
- The process verifies whether the antivirus software is installed
  - 360TS_Setup.exe (PID: 8120)
  - csrss.exe (PID: 5824)
  - regsvr32.exe (PID: 7372)
  - WscReg.exe (PID: 864)
  - WscReg.exe (PID: 472)
  - EaInstHelper64.exe (PID: 4220)
  - PowerSaver.exe (PID: 4376)
  - QHActiveDefense.exe (PID: 6940)
  - explorer.exe (PID: 5492)
  - csrss.exe (PID: 532)
  - QHWatchdog.exe (PID: 5508)
  - QHSafeTray.exe (PID: 2516)
  - QHSafeTray.exe (PID: 4996)
  - QHActiveDefense.exe (PID: 7708)
  - PopWndLog.exe (PID: 5200)
  - PopWndLog.exe (PID: 5596)
  - regsvr32.exe (PID: 8008)
  - QHSafeTray.exe (PID: 7488)
  - KB931125-rootsupd.exe (PID: 7476)
  - edge-cis.tmp (PID: 6004)
  - regsvr32.exe (PID: 5484)
  - regsvr32.exe (PID: 2028)
  - WscReg.exe (PID: 6876)
  - browser.exe (PID: 908)
  - WscReg.exe (PID: 5180)
  - browser.exe (PID: 3708)
  - QHToasts.exe (PID: 808)
- Drops 7-zip archiver for unpacking
  - 360TS_Setup.exe (PID: 8120)
- Starts application with an unusual extension
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
- Reads the date of Windows installation
  - explorer.exe (PID: 7328)
- The process checks if it is being run in the virtual environment
  - browser.exe (PID: 7536)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 7964)
- Drops a system driver (possible attempt to evade defenses)
  - 360TS_Setup.exe (PID: 8120)
  - EaInstHelper64.exe (PID: 4220)
  - QHActiveDefense.exe (PID: 6940)
  - QHActiveDefense.exe (PID: 7708)
- Creates files in the driver directory
  - 360TS_Setup.exe (PID: 8120)
  - EaInstHelper64.exe (PID: 4220)
  - QHActiveDefense.exe (PID: 6940)
  - QHActiveDefense.exe (PID: 7708)
- Creates or modifies Windows services
  - 360TS_Setup.exe (PID: 8120)
  - EaInstHelper64.exe (PID: 4220)
  - QHActiveDefense.exe (PID: 6940)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 7372)
- Executes as Windows Service
  - WscReg.exe (PID: 472)
  - QHActiveDefense.exe (PID: 7708)
  - WscReg.exe (PID: 5180)
- Connects to the server without a host name
  - QHSafeTray.exe (PID: 2516)
INFO
- Checks supported languages
  - edge-cis.exe (PID: 5736)
  - edge-cis.exe (PID: 7052)
  - edge-cis.tmp (PID: 6004)
  - edge-cis.tmp (PID: 7020)
  - MicrosoftEdgeSetup.exe (PID: 5800)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - downloader.exe (PID: 5364)
  - YandexPackSetup.exe (PID: 5360)
  - msiexec.exe (PID: 6824)
  - msiexec.exe (PID: 4336)
  - lite_installer.exe (PID: 6044)
  - seederexe.exe (PID: 5556)
  - downloader.exe (PID: 7220)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - Yandex.exe (PID: 7536)
  - explorer.exe (PID: 7580)
  - sender.exe (PID: 7640)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
  - yb31AC.tmp (PID: 7216)
  - setup.exe (PID: 5360)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - explorer.exe (PID: 4724)
  - clidmgr.exe (PID: 7616)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 3176)
  - browser.exe (PID: 5308)
  - clidmgr.exe (PID: 5048)
  - browser.exe (PID: 7268)
  - browser.exe (PID: 6416)
  - browser.exe (PID: 6148)
  - browser.exe (PID: 7860)
  - browser.exe (PID: 7896)
  - browser.exe (PID: 7812)
  - browser.exe (PID: 6244)
  - browser.exe (PID: 6728)
  - browser.exe (PID: 8040)
  - browser.exe (PID: 8036)
  - browser.exe (PID: 7624)
  - browser.exe (PID: 7352)
  - browser.exe (PID: 7892)
  - browser.exe (PID: 6828)
  - browser.exe (PID: 5136)
  - browser.exe (PID: 7592)
  - browser.exe (PID: 7560)
  - browser.exe (PID: 5228)
  - browser.exe (PID: 7804)
  - browser.exe (PID: 1452)
  - browser.exe (PID: 6660)
  - browser.exe (PID: 7272)
  - browser.exe (PID: 7264)
  - browser.exe (PID: 7244)
  - browser.exe (PID: 7284)
  - browser.exe (PID: 684)
  - browser.exe (PID: 1196)
  - browser.exe (PID: 7180)
  - browser.exe (PID: 7968)
  - browser.exe (PID: 7964)
  - browser.exe (PID: 7960)
  - browser.exe (PID: 672)
  - browser.exe (PID: 3008)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 664)
  - browser.exe (PID: 4464)
  - browser.exe (PID: 7452)
  - browser.exe (PID: 7224)
  - browser.exe (PID: 744)
  - browser.exe (PID: 6248)
  - browser.exe (PID: 7564)
  - browser.exe (PID: 7964)
  - browser.exe (PID: 5008)
  - browser.exe (PID: 3804)
  - browser.exe (PID: 7348)
  - browser.exe (PID: 6228)
  - browser.exe (PID: 3304)
  - browser.exe (PID: 6908)
  - browser.exe (PID: 776)
  - browser.exe (PID: 4884)
  - browser.exe (PID: 7296)
  - PowerSaver.exe (PID: 4376)
  - WscReg.exe (PID: 472)
  - EaInstHelper64.exe (PID: 4220)
  - WscReg.exe (PID: 864)
  - QHActiveDefense.exe (PID: 6940)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)
  - PopWndLog.exe (PID: 5200)
  - QHSafeTray.exe (PID: 4996)
  - QHWatchdog.exe (PID: 5508)
  - PopWndLog.exe (PID: 5596)
  - QHSafeTray.exe (PID: 7488)
  - KB931125-rootsupd.exe (PID: 7476)
  - QHWatchdog.exe (PID: 2096)
  - updroots.exe (PID: 5364)
  - updroots.exe (PID: 3124)
  - updroots.exe (PID: 7100)
  - updroots.exe (PID: 7372)
  - NgScHx_u_yH.exe (PID: 3708)
  - WscReg.exe (PID: 6876)
  - WscReg.exe (PID: 5180)
  - NgScHx_u_yH.exe (PID: 4728)
  - NgScHx_u_yH.exe (PID: 800)
  - NgScHx_u_yH.exe (PID: 980)
  - browser.exe (PID: 908)
  - QHToasts.exe (PID: 808)
  - browser.exe (PID: 3708)
- Create files in a temporary directory
  - edge-cis.exe (PID: 5736)
  - edge-cis.exe (PID: 7052)
  - edge-cis.tmp (PID: 6004)
  - downloader.exe (PID: 5364)
  - YandexPackSetup.exe (PID: 5360)
  - lite_installer.exe (PID: 6044)
  - seederexe.exe (PID: 5556)
  - downloader.exe (PID: 7220)
  - msiexec.exe (PID: 4336)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - Yandex.exe (PID: 7536)
  - sender.exe (PID: 7640)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
  - yb31AC.tmp (PID: 7216)
  - setup.exe (PID: 5756)
  - browser.exe (PID: 6244)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 5304)
  - KB931125-rootsupd.exe (PID: 7476)
- Process checks computer location settings
  - edge-cis.tmp (PID: 7020)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - downloader.exe (PID: 5364)
  - msiexec.exe (PID: 4336)
  - Yandex.exe (PID: 7536)
  - explorer.exe (PID: 7580)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - 360TS_Setup.exe (PID: 8120)
  - explorer.exe (PID: 7328)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 8036)
  - browser.exe (PID: 6728)
  - browser.exe (PID: 7624)
  - browser.exe (PID: 5136)
  - browser.exe (PID: 7892)
  - browser.exe (PID: 6828)
  - browser.exe (PID: 7452)
  - QHSafeTray.exe (PID: 2516)
- Reads the computer name
  - edge-cis.tmp (PID: 6004)
  - edge-cis.tmp (PID: 7020)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - downloader.exe (PID: 5364)
  - msiexec.exe (PID: 6824)
  - YandexPackSetup.exe (PID: 5360)
  - msiexec.exe (PID: 4336)
  - lite_installer.exe (PID: 6044)
  - seederexe.exe (PID: 5556)
  - downloader.exe (PID: 7220)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - Yandex.exe (PID: 7536)
  - explorer.exe (PID: 7580)
  - sender.exe (PID: 7640)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
  - yb31AC.tmp (PID: 7216)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - clidmgr.exe (PID: 7616)
  - browser.exe (PID: 7536)
  - clidmgr.exe (PID: 5048)
  - browser.exe (PID: 5308)
  - browser.exe (PID: 6416)
  - browser.exe (PID: 6244)
  - browser.exe (PID: 7896)
  - browser.exe (PID: 7860)
  - browser.exe (PID: 7244)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 664)
  - browser.exe (PID: 5008)
  - browser.exe (PID: 7964)
  - browser.exe (PID: 7564)
  - browser.exe (PID: 6248)
  - browser.exe (PID: 7348)
  - browser.exe (PID: 3804)
  - browser.exe (PID: 7296)
  - WscReg.exe (PID: 864)
  - WscReg.exe (PID: 472)
  - QHActiveDefense.exe (PID: 6940)
  - EaInstHelper64.exe (PID: 4220)
  - QHSafeTray.exe (PID: 2516)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 4996)
  - PopWndLog.exe (PID: 5200)
  - PopWndLog.exe (PID: 5596)
  - QHSafeTray.exe (PID: 7488)
  - WscReg.exe (PID: 5180)
  - browser.exe (PID: 908)
  - WscReg.exe (PID: 6876)
  - browser.exe (PID: 3708)
- The sample compiled with english language support
  - edge-cis.tmp (PID: 6004)
  - MicrosoftEdgeSetup.exe (PID: 5800)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - downloader.exe (PID: 5364)
  - lite_installer.exe (PID: 6044)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - 360TS_Setup.exe (PID: 8120)
  - yb31AC.tmp (PID: 7216)
  - setup.exe (PID: 5756)
  - browser.exe (PID: 7180)
  - QHActiveDefense.exe (PID: 6940)
  - KB931125-rootsupd.exe (PID: 7476)
- The sample compiled with chinese language support
  - edge-cis.tmp (PID: 6004)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
  - EaInstHelper64.exe (PID: 4220)
  - QHActiveDefense.exe (PID: 7708)
- The sample compiled with russian language support
  - edge-cis.tmp (PID: 6004)
  - msiexec.exe (PID: 4336)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5756)
- Reads the software policy settings
  - edge-cis.tmp (PID: 6004)
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - wermgr.exe (PID: 5408)
  - downloader.exe (PID: 5364)
  - msiexec.exe (PID: 6824)
  - lite_installer.exe (PID: 6044)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - slui.exe (PID: 1188)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - slui.exe (PID: 7780)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 7964)
  - QHActiveDefense.exe (PID: 7708)
- Detects InnoSetup installer (YARA)
  - edge-cis.exe (PID: 5736)
  - edge-cis.exe (PID: 7052)
  - edge-cis.tmp (PID: 6004)
  - edge-cis.tmp (PID: 7020)
- Creates files in the program directory
  - MicrosoftEdgeSetup.exe (PID: 5800)
  - 360TS_Setup.exe (PID: 8068)
  - 360TS_Setup.exe (PID: 8120)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)
  - PopWndLog.exe (PID: 5200)
  - PopWndLog.exe (PID: 5596)
  - WscReg.exe (PID: 6876)
- Reads Environment values
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - QHSafeTray.exe (PID: 2516)
  - QHActiveDefense.exe (PID: 7708)
- Checks proxy server information
  - MicrosoftEdgeUpdate.exe (PID: 5956)
  - wermgr.exe (PID: 5408)
  - downloader.exe (PID: 5364)
  - lite_installer.exe (PID: 6044)
  - edge-cis.tmp (PID: 6004)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5756)
  - slui.exe (PID: 7780)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 7964)
  - QHSafeTray.exe (PID: 2516)
- Compiled with Borland Delphi (YARA)
  - edge-cis.tmp (PID: 6004)
  - edge-cis.tmp (PID: 7020)
- Creates a software uninstall entry
  - edge-cis.tmp (PID: 6004)
- Creates files or folders in the user directory
  - wermgr.exe (PID: 5408)
  - downloader.exe (PID: 5364)
  - msiexec.exe (PID: 4336)
  - msiexec.exe (PID: 6824)
  - lite_installer.exe (PID: 6044)
  - seederexe.exe (PID: 5556)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - Yandex.exe (PID: 7536)
  - explorer.exe (PID: 7580)
  - explorer.exe (PID: 5492)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5360)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 6416)
  - browser.exe (PID: 672)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 7224)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 7564)
  - browser.exe (PID: 7964)
  - browser.exe (PID: 7296)
  - QHSafeTray.exe (PID: 2516)
  - edge-cis.tmp (PID: 6004)
- Reads the machine GUID from the registry
  - downloader.exe (PID: 5364)
  - msiexec.exe (PID: 6824)
  - seederexe.exe (PID: 5556)
  - lite_installer.exe (PID: 6044)
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - 360TS_Setup.exe (PID: 8120)
  - setup.exe (PID: 5756)
  - explorer.exe (PID: 7328)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 7296)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)
  - edge-cis.tmp (PID: 6004)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6824)
  - msiexec.exe (PID: 4336)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 5492)
- Yandex updater related mutex has been found
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
  - browser.exe (PID: 7536)
  - browser.exe (PID: 5304)
  - browser.exe (PID: 1012)
  - browser.exe (PID: 7964)
- Disables trace logs
  - 360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe (PID: 7316)
  - 360TS_Setup.exe (PID: 8120)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)
  - QHSafeTray.exe (PID: 4996)
  - QHSafeTray.exe (PID: 7488)
- Local mutex for internet shortcut management
  - Yandex.exe (PID: 7536)
  - explorer.exe (PID: 5492)
- The sample compiled with turkish language support
  - 360TS_Setup.exe (PID: 8120)
- Manual execution by a user
  - browser.exe (PID: 7536)
  - {40D89D90-5484-410A-9B2E-6981BA3C5ABD}.exe (PID: 7344)
- Process checks whether UAC notifications are on
  - 360TS_Setup.exe (PID: 8120)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)
- Reads CPU info
  - 360TS_Setup.exe (PID: 8120)
  - QHActiveDefense.exe (PID: 7708)
  - QHSafeTray.exe (PID: 2516)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (51.8)
.exe	\|	InstallShield setup (20.3)
.exe	\|	Win32 EXE PECompact compressed (generic) (19.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.1)
.exe	\|	Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:04:27 08:22:11+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	682496
InitializedDataSize:	48128
UninitializedDataSize:	-
EntryPoint:	0xa7ed0
OSVersion:	6
ImageVersion:	6
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	6.23.19.171
ProductVersionNumber:	6.23.19.171
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	MicrosoftEdge
FileVersion:	6.23.19.171
LegalCopyright:
OriginalFileName:
ProductName:	MicrosoftEdge
ProductVersion:	5.29.83.1529

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

270

Monitored processes

132

Malicious processes

102

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

472

"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe

services.exe

User:

SYSTEM

Company:

Qihoo 360 Technology Co. Ltd.

Integrity Level:

SYSTEM

Description:

360 Total Security <WscReg.exe>

Exit code:

Version:

9, 2, 0, 1031

Modules

Images
c:\program files (x86)\360\total security\safemon\wscreg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

532

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\System32\csrss.exe

—

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Client Server Runtime Process

Version:

10.0.19041.1 (WinBuild.160101.0800)

664

"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=6a097089-020a-4e95-a42e-c6932e70b811 --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --gpu-process-kind=sandboxed --field-trial-handle=2404,i,1884775424906325669,2140550139139367340,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:2

C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

browser.exe

User:

admin

Company:

YANDEX LLC

Integrity Level:

LOW

Description:

Yandex with voice assistant Alice

Exit code:

Version:

25.2.6.697

Modules

Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll

672

C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1745043076 --annotation=last_update_date=1745043076 --annotation=launches_after_update=1 --annotation=machine_id=97b7721c4994e2556ff6a439510f665d --annotation=main_process_pid=5304 --annotation=metrics_client_id=a57ff17397bf4b7299464b6509eba25c --annotation=micromode=broupdater --annotation=plat=Win64 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=25.2.6.697 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc87fd58d0,0x7ffc87fd58dc,0x7ffc87fd58e8

C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

browser.exe

User:

admin

Company:

YANDEX LLC

Integrity Level:

MEDIUM

Description:

Yandex with voice assistant Alice

Exit code:

Version:

25.2.6.697

Modules

Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

672

"C:\WINDOWS\system32\bcdedit.exe" /set flightsigning on

C:\Windows\System32\bcdedit.exe

—

360TS_Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Boot Configuration Data Editor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll

684

"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=6a097089-020a-4e95-a42e-c6932e70b811 --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --process-name="Data Decoder Service" --field-trial-handle=7480,i,17135219961656772721,141421571033040994,262144 --variations-seed-version --mojo-platform-channel-handle=7704 --brver=25.2.6.697 /prefetch:8

C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

browser.exe

User:

admin

Company:

YANDEX LLC

Integrity Level:

LOW

Description:

Yandex with voice assistant Alice

Exit code:

Version:

25.2.6.697

Modules

Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll

744

"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --message-loop-type-ui --user-id=6a097089-020a-4e95-a42e-c6932e70b811 --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --process-name="Утилиты Windows" --field-trial-handle=7208,i,17135219961656772721,141421571033040994,262144 --variations-seed-version --mojo-platform-channel-handle=7124 --brver=25.2.6.697 /prefetch:8

C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

browser.exe

User:

admin

Company:

YANDEX LLC

Integrity Level:

MEDIUM

Description:

Yandex with voice assistant Alice

Exit code:

Version:

25.2.6.697

Modules

Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll

776

"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=ru --service-sandbox-type=service --user-id=6a097089-020a-4e95-a42e-c6932e70b811 --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --process-name="Распаковщик файлов" --field-trial-handle=5828,i,17135219961656772721,141421571033040994,262144 --variations-seed-version --mojo-platform-channel-handle=2512 --brver=25.2.6.697 /prefetch:8

C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

browser.exe

User:

admin

Company:

YANDEX LLC

Integrity Level:

LOW

Description:

Yandex with voice assistant Alice

Exit code:

Version:

25.2.6.697

Modules

Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll

800

"C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\ROacfpuxceE3h.cmus\NgScHx_u_yH.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\World of Warships.lnk" 5386

C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\ROacfpuxceE3h.cmus\NgScHx_u_yH.exe

—

edge-cis.tmp

User:

admin

Company:

Technosys Corporation

Integrity Level:

MEDIUM

Description:

Pin To Taskbar

Exit code:

Version:

0.99.9.1

Modules

Images
c:\users\admin\appdata\local\temp\is-qkn83.tmp\roacfpuxcee3h.cmus\ngschx_u_yh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

808

"C:\Program Files (x86)\360\Total Security\safemon\QHToasts.exe" /riskprompt

C:\Program Files (x86)\360\Total Security\safemon\QHToasts.exe

—

QHSafeTray.exe

User:

admin

Integrity Level:

HIGH

Description:

Windows 8 Toast Notification

Exit code:

Version:

8,6,0,1000

Modules

Images
c:\program files (x86)\360\total security\safemon\qhtoasts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

104 802

Read events

100 725

Write events

2 460

Delete events

1 617

Modification events


(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000007028C
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000030300
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000202FC
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5956) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe
Operation:	write	Name:	DisableExceptionChainValidation
Value: 0
(PID) Process:	(5956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(5956) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{CE8AD42E-BB41-4060-A366-20FA232380DE}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5956) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{CE8AD42E-BB41-4060-A366-20FA232380DE}
Operation:	write	Name:	PersistedPingString
Value: <?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.151.27" shell_version="1.3.147.37" ismachine="1" sessionid="{6A815816-413F-41D5-BAC2-434397590917}" userid="{FD984739-A122-4DB0-BE5B-46E3E09D84E4}" installsource="taggedmi" requestid="{CE8AD42E-BB41-4060-A366-20FA232380DE}" dedup="cr" domainjoined="0"><hw logical_cpus="4" physmemory="4" disk_type="2" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64"/><oem product_manufacturer="DELL" product_name="DELL"/><exp etag=""r452t1+k2Tgq/HXzjvFNBRhopBWR9sbjXxqeUDH9uX0=""/><app appid="{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}" version="1.3.185.17" nextversion="1.3.151.27" lang="ru" brand="" client=""><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" install_time_ms="500"/></app></request>
(PID) Process:	(5956) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{CE8AD42E-BB41-4060-A366-20FA232380DE}
Operation:	write	Name:	PersistedPingTime
Value: 133895165639688973
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000020378
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000202FC
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

1 509

Suspicious files

1 935

Text files

703

Unknown types

Dropped files

PID	Process	Filename		Type
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\yvVtmf2IxedL_XC\b0HOR.aiff		binary
		MD5:A150DA0EED596E279C6DEB1FEA8D6F2C	SHA256:2A8CEAB50BE99D2FD3A21C653A379F9C99D0E15E753B1906DE1CBFE6D46E959E
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\Cb8waZs8ilUnJ_u.vob\botva2.dll		executable
		MD5:EF899FA243C07B7B82B3A45F6EC36771	SHA256:DA7D0368712EE419952EB2640A65A7F24E39FB7872442ED4D2EE847EC4CFDE77
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\FCPe6rkAhD_H3usxkdMivVC\jY6uM8yqBr6ALPAy1xJULn9.dll		executable
		MD5:36D775C36616C72B16B419730D4B2801	SHA256:7246F27406D90CA9DD88E609F1051D7A10DC49075AD1C942401BAC4120F7F6B5
5736	edge-cis.exe	C:\Users\admin\AppData\Local\Temp\is-KK2CQ.tmp\edge-cis.tmp		executable
		MD5:3E2E22576C1196263F8140CAC76334E8	SHA256:57CBBAE38320D760C4AD0265F4606DAA03937E6D654D6A414BB2AEB4586748D6
7052	edge-cis.exe	C:\Users\admin\AppData\Local\Temp\is-1RFL1.tmp\edge-cis.tmp		executable
		MD5:3E2E22576C1196263F8140CAC76334E8	SHA256:57CBBAE38320D760C4AD0265F4606DAA03937E6D654D6A414BB2AEB4586748D6
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\oA2q.mus\Pe0m6LHa.wma.ini		binary
		MD5:F05FA264C10F0E3F3FDFD4AE84A3064B	SHA256:BBD9B549277A01AF96F5583DC2AD67FFA0D58E001F537F95BF3040CD81829EA9
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\yvVtmf2IxedL_XC\Cb8waZs8ilUnJ_u.vob		binary
		MD5:0FB464321EE94C22EAB45BCCF8E1C3F3	SHA256:779BA29CC5CEA85D9BEC7733DC4FAE1B2451F021D822EE80AC1A327768A67E2B
5492	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6004	edge-cis.tmp	C:\Users\admin\AppData\Local\Temp\is-QKN83.tmp\b0HOR.aiff\CallbackCtrl.dll		executable
		MD5:F07E819BA2E46A897CFABF816D7557B2	SHA256:68F42A7823ED7EE88A5C59020AC52D4BBCADF1036611E96E470D986C8FAA172D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

102

TCP/UDP connections

292

DNS requests

159

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5364	downloader.exe	GET	302	5.45.205.243:80	http://download.yandex.ru/yandex-pack/downloader/info.rss	unknown	—	—	whitelisted
—	—	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5364	downloader.exe	GET	200	5.45.200.104:80	http://cachev2-fra-01.cdn.yandex.net/downloader.yandex.net/yandex-pack/631081/YandexPackSetup.exe?lid=290	unknown	—	—	whitelisted
5408	wermgr.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5364	downloader.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
5408	wermgr.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5364	downloader.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDG8SbJzCh95FjOiQ9g%3D%3D	unknown	—	—	whitelisted
6044	lite_installer.exe	GET	200	213.180.204.14:80	http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=0.winapi_download/ui=%7B6a097089-020a-4e95-a42e-c6932e70b811%7D/clid1=9103221-191/dt=0/ds=0/bits=7_8_19041_3636/bver=0_0_0_0/prod_version=1_0_1_9/result=ok/*	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2112	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6004	edge-cis.tmp	35.228.27.190:443	conf.datarcv.ru	GOOGLE-CLOUD-PLATFORM	FI	unknown
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.32.140:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
google.com	142.250.185.78	whitelisted
conf.datarcv.ru	35.228.27.190	unknown
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
login.live.com	40.126.32.140 20.190.160.65 40.126.32.74 40.126.32.76 20.190.160.5 40.126.32.138 20.190.160.132 20.190.160.128	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
stat.datarcv.ru	35.228.27.190	unknown
config.edge.skype.com	13.107.42.16	whitelisted
download.yandex.ru	5.45.205.243 5.45.205.245 5.45.205.242 5.45.205.241 5.45.205.244	whitelisted

Threats

PID	Process	Class	Message
5364	downloader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5364	downloader.exe	Misc activity	ET INFO Packed Executable Download
6044	lite_installer.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6044	lite_installer.exe	Misc activity	ET INFO EXE - Served Attached HTTP
6004	edge-cis.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Inno Download Plugin UA
6004	edge-cis.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Inno Download Plugin UA
6004	edge-cis.tmp	Misc activity	ET INFO Packed Executable Download
6004	edge-cis.tmp	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7316	360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7316	360TS_Setup_Mini_WW_Coin_CPI202201_6.6.0.1054.exe	Misc activity	ET INFO Packed Executable Download

Add for printing

No debug info

General Info

edge-cis.exe

05229FAF10CCA0D4BC5AB297D845B5F5

379A7EC986707DD230D87F7B07B6D9BD6474D001

8FD248D06BF0F14AE1FF27963F51B86BDA17C8E4CD9C7575826EB47CB757A173

98304:/bUWxQTRNrd9NoDY2tOXruW+565qWKgBHhd4z329rnFqnIbi8ho6EJiAwdE2IsxA:v0dFU0J9ADRlBH4HAXjnaoj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

ADWARE has been detected (SURICATA)

Changes the autorun value in the registry

Registers / Runs the DLL via REGSVR32.EXE

Executing a file with an untrusted certificate

Runs injected code in another process

Application was injected by another process

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Searches for installed software

Disables SEHOP

There is functionality for taking screenshot (YARA)

Process requests binary or script from the Internet

Adds/modifies Windows certificates

Application launched itself

Potential Corporate Privacy Violation

Reads Mozilla Firefox installation path

Access to an unwanted program domain was detected

Changes the title of the Internet Explorer window

Changes the Home page of Internet Explorer

The process creates files with name similar to system file names

Starts itself from another location

Creates a software uninstall entry

Creates file in the systems drive root

The process verifies whether the antivirus software is installed

Drops 7-zip archiver for unpacking

Starts application with an unusual extension

Reads the date of Windows installation

The process checks if it is being run in the virtual environment

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates or modifies Windows services

Creates/Modifies COM task schedule object

Executes as Windows Service

Connects to the server without a host name

INFO

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Reads the computer name

The sample compiled with english language support

The sample compiled with chinese language support

The sample compiled with russian language support

Reads the software policy settings

Detects InnoSetup installer (YARA)

Creates files in the program directory

Reads Environment values

Checks proxy server information

Compiled with Borland Delphi (YARA)

Creates a software uninstall entry

Creates files or folders in the user directory

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Yandex updater related mutex has been found

Disables trace logs

Local mutex for internet shortcut management

The sample compiled with turkish language support

Manual execution by a user

Process checks whether UAC notifications are on

Reads CPU info

Malware configuration

Static information