Malware Analysis Report

2025-03-15 08:29

Sample ID 250213-3r7akaxlcp
Target 2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia
SHA256 5803d1da3820714c123d1bcbbb97fc8866fd073473531e75a0f05d68d49604c8
Tags
banload adware discovery downloader dropper persistence privilege_escalation stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5803d1da3820714c123d1bcbbb97fc8866fd073473531e75a0f05d68d49604c8

Threat Level: Known bad

The file 2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia was found to be: Known bad.

Malicious Activity Summary

banload adware discovery downloader dropper persistence privilege_escalation stealer trojan

Banload family

Banload

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-13 23:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-13 23:45

Reported

2025-02-13 23:48

Platform

win10v2004-20250207-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho_64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ga.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8ede883c-d2e9-4dd3-a8fe-d014b025f5bc.tmp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Internal.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\lt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_feedback\camera_mf_trace.wprp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2152_13383964103782467_2152.pma C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\LogoCanary.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\zh-CN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EdgeWebView.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ta.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\msedge_installer.log C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoCanary.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\ffmpeg.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\canary.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\d3dcompiler_47.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Dev.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kn.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\qu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kok.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bs.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneds.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vccorlib140.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader_icd.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bg.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nb.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_wer.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1688_13383964104585334_1688.pma C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_core.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Social C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\is.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\km.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cs.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ = "Internet Explorer(Ver 1.0)" C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\VersionIndependentProgID\ = "InternetExplorer.Application" C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 372 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 396 wrote to memory of 372 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 372 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 372 wrote to memory of 3020 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 372 wrote to memory of 2152 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 372 wrote to memory of 2152 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 2152 wrote to memory of 872 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 2152 wrote to memory of 872 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe
PID 372 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 372 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 372 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 372 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 228 wrote to memory of 624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 228 wrote to memory of 624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 372 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 372 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2356 wrote to memory of 2868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2356 wrote to memory of 2868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1688 wrote to memory of 3544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1688 wrote to memory of 3544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEFERjMxRTQtMDZCRi00NTcxLThFNzAtNDU1RDg3QTA1Qjg1fSIgdXNlcmlkPSJ7MUMzNzhBNzAtRThEMS00QkU5LThFOTEtNEVEQUQ2M0I3ODJFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjM5QTFCN0YtNkYzMC00RDBELTk1NUUtRDM4M0M5QTdBODUxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODU2NjYyMjk2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7865b6a68,0x7ff7865b6a74,0x7ff7865b6a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7865b6a68,0x7ff7865b6a74,0x7ff7865b6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff68b836a68,0x7ff68b836a74,0x7ff68b836a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0xec,0xe8,0xe0,0xb4,0xcc,0x7ff68b836a68,0x7ff68b836a74,0x7ff68b836a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff68b836a68,0x7ff68b836a74,0x7ff68b836a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.180:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

memory/2548-0-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/2548-2-0x0000000002950000-0x0000000002B51000-memory.dmp

memory/2548-8-0x0000000002950000-0x0000000002B51000-memory.dmp

memory/2548-10-0x00000000755C9000-0x00000000755CA000-memory.dmp

memory/2548-18-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/2548-17-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/2548-16-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/2548-15-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/2548-14-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/2548-19-0x0000000002950000-0x0000000002B51000-memory.dmp

memory/2548-21-0x0000000002950000-0x0000000002B51000-memory.dmp

memory/2548-23-0x0000000000400000-0x00000000006F2000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{27D1E919-F633-466D-925A-A6973058BB30}\EDGEMITMP_25A9A.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Program Files\msedge_installer.log

MD5 d0290efd8d246c3aec063f869c278c9a
SHA1 67dbbf2ef4e7354026ee8f66624c0cad90498984
SHA256 bd77341474f185bc3aa7c8d3ca01a869192b3986528cb6234b222eab241fd14c
SHA512 a63c4aec18e5c4100710bfe2ff6e3844ae1b16d3e4a92ccffbea94376976acafd20732c38fee46ff66345f3e955e007c6f341bdeb756b917f3ef2c41a6a1a2a4

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 a8645bf5dd14ebcaf6498bc3cb6c4189
SHA1 4180da0fdcce9b05404756f972d37545b44b7d40
SHA256 a5236faf74414194ddbf5063fe65576b25eb461db02b3f08fb8776d96e1652c0
SHA512 fac19d9f405afef6752e6c7dff26382afee092fcc1de9ddb843c61cb69bee53b058940915de8f5b15353ab79952764e8575f7f1f73d7414f6ca8febccd01244b

C:\Program Files\msedge_installer.log

MD5 0725cabac4352ea8e07384aa414304b2
SHA1 b8f5ff8e4dcf6e5811c817167650920fba299a48
SHA256 c332d248cdf1ecd9a5f1b1e07216c5536679177bc5577c14a50cc9daf2a39173
SHA512 ad9cb941d5f5f78caaf2cffdf666dd172d6b971d2b426962d0918f63bf3fd25e2f7dbc7e8ef469d62e17a78c3f5d9f7e354a0309cf440168373713918ae5e38f

C:\Program Files\msedge_installer.log

MD5 073a437742a48fdb5f3a62a3fde40a4f
SHA1 74a40e861a67188b4691f0d84ad4bfff2088d761
SHA256 f63be6ba45f912d51ee28921ad298ab5beab0a149ecb578961f4f921f19934ae
SHA512 f52113096ac2a5c021e712fe4872d708ba582af53409477d110b982750c40a364e115c189e737a2490331f21b054f04492c487bc1389754c0b14bdb1022a1124

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 23:45

Reported

2025-02-13 23:48

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C} C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ = "MIDI Sequence" C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\TreatAs C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\TreatAs\ = "{F20DA720-C02F-11CE-927B-0800095AE340}" C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-13_650181ce9cde52bb88bfe7daa9e9a4bb_mafia.exe"

Network

N/A

Files

memory/1980-0-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-1-0x0000000002590000-0x0000000002791000-memory.dmp

memory/1980-7-0x0000000002590000-0x0000000002791000-memory.dmp

memory/1980-8-0x0000000075DFB000-0x0000000075DFC000-memory.dmp

memory/1980-13-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-18-0x0000000002590000-0x0000000002791000-memory.dmp

memory/1980-17-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-16-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-15-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-14-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-20-0x0000000075DC0000-0x0000000075ED0000-memory.dmp

memory/1980-21-0x0000000002590000-0x0000000002791000-memory.dmp

memory/1980-23-0x0000000000400000-0x00000000006F2000-memory.dmp

memory/1980-24-0x0000000075DC0000-0x0000000075ED0000-memory.dmp