banload | 5803d1da3820714c123d1bcbbb97fc8866fd073473531e75a0f05d68d49604c8

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Size

2.3MB
MD5

650181ce9cde52bb88bfe7daa9e9a4bb
SHA1

ace711594336ff15819bca2fe5b1b0d5f253058a
SHA256

5803d1da3820714c123d1bcbbb97fc8866fd073473531e75a0f05d68d49604c8
SHA512

1327cd789c145432a4076371451f665ee5d071f63d84b2baee9b506c34eb3a6184010c79806e4d3f13db748b93782fcba48d595624420ea07d68ea0c4811e91b
SSDEEP

49152:6OIq2/Om3iBTnTS/sWn3cvvB68B1ECYJgkUzgaAmZea+:6Oh22mqTQsWn3cvp68B+5JA3AmZeR

Score

10^/10

banload adware discovery downloader dropper persistence privilege_escalation stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
24	1940	Process not Found

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
372	setup.exe
3020	setup.exe
2152	setup.exe
872	setup.exe
228	setup.exe
2356	setup.exe
624	setup.exe
1688	setup.exe
2868	setup.exe
3544	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho_64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8ede883c-d2e9-4dd3-a8fe-d014b025f5bc.tmp	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_feedback\camera_mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2152_13383964103782467_2152.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EdgeWebView.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\ffmpeg.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kok.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bg.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1688_13383964104585334_1688.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_core.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2932	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ = "Internet Explorer(Ver 1.0)"	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\VersionIndependentProgID\ = "InternetExplorer.Application"	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge"	setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	setup.exe
228	setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2548	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Token: SeIncBasePriorityPrivilege	2548	2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
Token: 33	372	setup.exe
Token: SeIncBasePriorityPrivilege	372	setup.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 372	396	MicrosoftEdge_X64_133.0.3065.59.exe	97
PID 396 wrote to memory of 372	396	MicrosoftEdge_X64_133.0.3065.59.exe	97
PID 372 wrote to memory of 3020	372	setup.exe	98
PID 372 wrote to memory of 3020	372	setup.exe	98
PID 372 wrote to memory of 2152	372	setup.exe	99
PID 372 wrote to memory of 2152	372	setup.exe	99
PID 2152 wrote to memory of 872	2152	setup.exe	100
PID 2152 wrote to memory of 872	2152	setup.exe	100
PID 372 wrote to memory of 228	372	setup.exe	101
PID 372 wrote to memory of 228	372	setup.exe	101
PID 372 wrote to memory of 2356	372	setup.exe	102
PID 372 wrote to memory of 2356	372	setup.exe	102
PID 228 wrote to memory of 624	228	setup.exe	103
PID 228 wrote to memory of 624	228	setup.exe	103
PID 372 wrote to memory of 1688	372	setup.exe	104
PID 372 wrote to memory of 1688	372	setup.exe	104
PID 2356 wrote to memory of 2868	2356	setup.exe	105
PID 2356 wrote to memory of 2868	2356	setup.exe	105
PID 1688 wrote to memory of 3544	1688	setup.exe	106
PID 1688 wrote to memory of 3544	1688	setup.exe	106

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe"
1⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEFERjMxRTQtMDZCRi00NTcxLThFNzAtNDU1RDg3QTA1Qjg1fSIgdXNlcmlkPSJ7MUMzNzhBNzAtRThEMS00QkU5LThFOTEtNEVEQUQ2M0I3ODJFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjM5QTFCN0YtNkYzMC00RDBELTk1NUUtRDM4M0M5QTdBODUxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODU2NjYyMjk2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2932

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:372
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7865b6a68,0x7ff7865b6a74,0x7ff7865b6a80
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3020
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7865b6a68,0x7ff7865b6a74,0x7ff7865b6a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:872
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff68b836a68,0x7ff68b836a74,0x7ff68b836a80
      4⤵
      Executes dropped EXE
      PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0xec,0xe8,0xe0,0xb4,0xcc,0x7ff68b836a68,0x7ff68b836a74,0x7ff68b836a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff68b836a68,0x7ff68b836a74,0x7ff68b836a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
ad5f7dc7ca3e67dce70c0a89c04519e0

SHA1
a10b03234627ca8f3f8034cd5637cda1b8246d83

SHA256
663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

SHA512
ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

Download Submit
C:\Program Files\msedge_installer.log

Filesize
72KB

MD5
d0290efd8d246c3aec063f869c278c9a

SHA1
67dbbf2ef4e7354026ee8f66624c0cad90498984

SHA256
bd77341474f185bc3aa7c8d3ca01a869192b3986528cb6234b222eab241fd14c

SHA512
a63c4aec18e5c4100710bfe2ff6e3844ae1b16d3e4a92ccffbea94376976acafd20732c38fee46ff66345f3e955e007c6f341bdeb756b917f3ef2c41a6a1a2a4

Download Submit
C:\Program Files\msedge_installer.log

Filesize
98KB

MD5
a8645bf5dd14ebcaf6498bc3cb6c4189

SHA1
4180da0fdcce9b05404756f972d37545b44b7d40

SHA256
a5236faf74414194ddbf5063fe65576b25eb461db02b3f08fb8776d96e1652c0

SHA512
fac19d9f405afef6752e6c7dff26382afee092fcc1de9ddb843c61cb69bee53b058940915de8f5b15353ab79952764e8575f7f1f73d7414f6ca8febccd01244b

Download Submit
C:\Program Files\msedge_installer.log

Filesize
101KB

MD5
0725cabac4352ea8e07384aa414304b2

SHA1
b8f5ff8e4dcf6e5811c817167650920fba299a48

SHA256
c332d248cdf1ecd9a5f1b1e07216c5536679177bc5577c14a50cc9daf2a39173

SHA512
ad9cb941d5f5f78caaf2cffdf666dd172d6b971d2b426962d0918f63bf3fd25e2f7dbc7e8ef469d62e17a78c3f5d9f7e354a0309cf440168373713918ae5e38f

Download Submit
C:\Program Files\msedge_installer.log

Filesize
103KB

MD5
073a437742a48fdb5f3a62a3fde40a4f

SHA1
74a40e861a67188b4691f0d84ad4bfff2088d761

SHA256
f63be6ba45f912d51ee28921ad298ab5beab0a149ecb578961f4f921f19934ae

SHA512
f52113096ac2a5c021e712fe4872d708ba582af53409477d110b982750c40a364e115c189e737a2490331f21b054f04492c487bc1389754c0b14bdb1022a1124

Download Submit
memory/2548-18-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-14-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-19-0x0000000002950000-0x0000000002B51000-memory.dmp

Filesize
2.0MB

Download
memory/2548-21-0x0000000002950000-0x0000000002B51000-memory.dmp

Filesize
2.0MB

Download
memory/2548-23-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-15-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-16-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-17-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-0-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-10-0x00000000755C9000-0x00000000755CA000-memory.dmp

Filesize
4KB

Download
memory/2548-8-0x0000000002950000-0x0000000002B51000-memory.dmp

Filesize
2.0MB

Download
memory/2548-2-0x0000000002950000-0x0000000002B51000-memory.dmp

Filesize
2.0MB

Download