Overview

overview

10

Static

static

3

MirsoftEde-Seup.exe

windows7-x64

10

MirsoftEde-Seup.exe

windows10-ltsc 2021-x64

10

MirsoftEde-Seup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250218-en
  • resource tags

    arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/03/2025, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MirsoftEde-Seup.exe

  • Size

    113.8MB

  • MD5

    437e77a81f65b728961540a13564f4ab

  • SHA1

    141ef5d76fc21c8958edfb9e903a9719cdb3bee5

  • SHA256

    5ef443293aafe44fcc69d4aeb8a43ab7f1b93e3e0591c52f86ab66bde6dd8c6c

  • SHA512

    669955f564b94035afc9d748639454449de52c9e2630efde3f631422dedf07d1cb7ba69b999d3b3f4e2081f617326f08a297be8b94a29192cfbc06ff4242215c

  • SSDEEP

    3145728:P+vX0Hb5gQb2fL9qcIqX/XoUtrsRum+ETy43AkG+AKpqG33O6k:W87GSmsR6EdAkkKpqGHY

Score
10/10
gh0stratadwarediscoverypersistenceprivilege_escalationratstealer

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MirsoftEde-Seup.exe
    "C:\Users\Admin\AppData\Local\Temp\MirsoftEde-Seup.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Program Files (x86)\libcef.exe
      "C:\Program Files (x86)\libcef.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1908
    • C:\Program Files (x86)\MicrosoftEdgeSetup.exe
      "C:\Program Files (x86)\MicrosoftEdgeSetup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files (x86)\Microsoft\Temp\EU7E82.tmp\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\Temp\EU7E82.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=prefers&lang=zh-cn&brand=M100"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks system information in the registry
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /healthcheck
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2972
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjZGOEQ3MzctQkZFNS00RTM3LTkzRTItQkVCMDk5RDg2RDUxfSIgdXNlcmlkPSJ7NkM2NjcxQkYtMDcxRS00OTAyLUFEOEItQ0VFOEY0NjA1NkZDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0JCRkM2RTZCLUE0QzgtNEJFMi05NUU3LTU4MEEwRjY5NDJGRX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjM1IiBsYW5nPSJ6aC1jbiIgYnJhbmQ9Ik0xMDAiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjUxMjYwMjYzIiBpbnN0YWxsX3RpbWVfbXM9IjE3MiIvPjwvYXBwPjwvcmVxdWVzdD4
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:4288
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=prefers&lang=zh-cn&brand=M100" /installsource taggedmi /sessionid "{F6F8D737-BFE5-4E37-93E2-BEB099D86D51}"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjZGOEQ3MzctQkZFNS00RTM3LTkzRTItQkVCMDk5RDg2RDUxfSIgdXNlcmlkPSJ7NkM2NjcxQkYtMDcxRS00OTAyLUFEOEItQ0VFOEY0NjA1NkZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MEE1Qjk0RDMtRUQxRS00RUVCLTkyMUUtNzU5QzdCOTFEMDNBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzk4Njk2NTIiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4NDM0MjI3MTU4NDAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU1NjM1NDI5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:1700
          • C:\Windows\SysWOW64\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5028" "1132" "1136" "1228" "0" "0" "0" "0" "0" "0" "0" "0"
            5⤵
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:1668
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjZGOEQ3MzctQkZFNS00RTM3LTkzRTItQkVCMDk5RDg2RDUxfSIgdXNlcmlkPSJ7NkM2NjcxQkYtMDcxRS00OTAyLUFEOEItQ0VFOEY0NjA1NkZDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezIxRjgwQzFDLTY4OTctNDIyQy04RDIwLTAzNjc3QzYzQ0VDOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMy4wLjMwNjUuNjkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxNyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5ODY4OTgzIj48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI2NDIyOTA0OSIvPjwvYXBwPjwvcmVxdWVzdD4
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:3152
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\MicrosoftEdge_X64_134.0.3124.51.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\MicrosoftEdge_X64_134.0.3124.51.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:3420
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\MicrosoftEdge_X64_134.0.3124.51.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Installs/modifies Browser Helper Object
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:976
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.45 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=134.0.3124.51 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff737d2cd48,0x7ff737d2cd54,0x7ff737d2cd60
                7⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                PID:2372
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:4288
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.45 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=134.0.3124.51 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff737d2cd48,0x7ff737d2cd54,0x7ff737d2cd60
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:2096
              • C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                7⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:1632
                • C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.45 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=134.0.3124.51 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6d7d8cd48,0x7ff6d7d8cd54,0x7ff6d7d8cd60
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:2064
              • C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                7⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:4908
                • C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.45 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\134.0.3124.51\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=134.0.3124.51 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6d7d8cd48,0x7ff6d7d8cd54,0x7ff6d7d8cd60
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:1200
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjZGOEQ3MzctQkZFNS00RTM3LTkzRTItQkVCMDk5RDg2RDUxfSIgdXNlcmlkPSJ7NkM2NjcxQkYtMDcxRS00OTAyLUFEOEItQ0VFOEY0NjA1NkZDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezMyQTI2MTY5LTIzRTMtNEQ4Qy1CMkJDLThFOThGMEYyODlEMH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEzNC4wLjMxMjQuNTEiIGxhbmc9InpoLWNuIiBicmFuZD0iTTEwMCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxNyIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzg0MzQ1NjcyMzgwMTM4MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjY5Mzg1NDQyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI2OTM4NTQ0MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwMjY4ODU0ODAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2I3NDUwYzIwLTBmOTItNDFkZi05ZjkzLTg1NzRhZDMwM2NlMz9QMT0xNzQxOTc5NTg5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PW14NUNtbTN0YnMzZGRuMUluQ2RCdiUyZm5QQ21wNjA1eUZ5Q0E4MzMyRk9QNnlENjZqTDNhd0hyNjd5blNXelY3bmVsQmJZdHQ3Vm9ncEhFUHVXa2tqT2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzk1MjA1NjgiIHRvdGFsPSIxNzk1MjA1NjgiIGRvd25sb2FkX3RpbWVfbXM9IjczMTU2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjAyNzA0MTc0NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwNDAwMTEwNzQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjY2NjY1NzMwMTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzNTkiIGRvd25sb2FkX3RpbWVfbXM9Ijc1NzM1IiBkb3dubG9hZGVkPSIxNzk1MjA1NjgiIHRvdGFsPSIxNzk1MjA1NjgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYyNjI1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:1192
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4104,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:14
    1⤵
      PID:1100
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5300,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:14
      1⤵
        PID:2036

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Browser Extensions

      1
      T1176

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Defense Evasion

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      6
      T1012

      System Information Discovery

      5
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\MicrosoftEdgeSetup.exe
        Filesize

        1.6MB

        MD5

        6488f42e7cbac0c674942359e92ec4bb

        SHA1

        fd5df680d286ec05937c83f9af3b43a79ec8b45f

        SHA256

        95550d9a0e0cca2f447f841a0522f6c5273162941db7d56d41605b556fda8b1f

        SHA512

        cb687f76bdc943a1b0dad4c80ad8e959434fc1995d7bbb95fc054eed05acd8bf275c7ecb09860d945f11d01872a03887a108c6fecfa43a86d21f539e85f74353

        Download Submit

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E506F5D7-718F-4764-885E-2BED80700ACC}\EDGEMITMP_65BF6.tmp\setup.exe
        Filesize

        7.2MB

        MD5

        913fb6340d755d6c33c304c60b5c7838

        SHA1

        16d70344bd6d74ba611a57c59d6c227fcf1a3a9f

        SHA256

        8500967b53304d83c3a12f92b89b45d804d73de9d9b3721f1efe09f000ede789

        SHA512

        370473b6409b476a3d9194a50d21e53d359e40fb535fa68354bdea23c47ccd04e08b9fdbdd7ee030ac507b358b4f2b4daf64637ad0ffa89bda2bf862449e34ab

        Download Submit

      • C:\Program Files (x86)\Microsoft\Temp\EU7E82.tmp\MicrosoftEdgeUpdate.exe
        Filesize

        201KB

        MD5

        db1acd5625c82435c72dfe120e0fddd7

        SHA1

        b8cad7b3f9efec8b4ff3c8c344481ba509096021

        SHA256

        f8cbc120b6d4536300838ffb510b0a4dbff19086065d0ddd015386a73bcb5a09

        SHA512

        13c8cbcdfb72f6a220825d35f5bc0d1a31046e32fb2258ae55f6538e4b0779fe20f2b92c0ad264256d9268f24e0480468e7f90985a5ba3e8c2a62211e760a010

        Download Submit

      • C:\Program Files (x86)\Microsoft\Temp\EU7E82.tmp\msedgeupdate.dll
        Filesize

        2.1MB

        MD5

        396fe7495ec53d354cc4383e3590c296

        SHA1

        22f1c3b7b21a1f80f8d53b0e69e7df740e811bf4

        SHA256

        66dd98d249287e7707b8f1ee181bfb7ab1e2d1d96a5a8a4605d2cc4065a516ec

        SHA512

        c9826a18b5e4e8ff60d9960835c513d82c84c9fd864fb9e5ca99b276d32c88d1362beb870f3d7faab36009b7a430000d603483b1e7d4f124f87e366b0455ec1b

        Download Submit

      • C:\Program Files (x86)\Microsoft\Temp\EU7E82.tmp\msedgeupdateres_zh-cn.dll
        Filesize

        21KB

        MD5

        ceec929905877773cecd70ae48f77da4

        SHA1

        139bb299a3dbc71d4f3aad86f6c4aa8ea2526035

        SHA256

        fcd455c3983f3f7ac233c02170b1fba2d4dc93b34c0169176b4c92bd34d4527a

        SHA512

        28c946b6d342b2301012c480fed4a817e220c57a5e406448cfee6514d723567c1f5e33eabc83370c53c103e4c8b8adf331492b43b3d2ef0bb6a4709f572c0aca

        Download Submit

      • C:\Program Files (x86)\libcef.exe
        Filesize

        440KB

        MD5

        71efcad545b463046639217a13374130

        SHA1

        6dab64e59b94adb4a76984e0b8364d352b2566ec

        SHA256

        7d411b417c49604305ce9661da23b49a3a3e1ed1bd9d4c5986b4bf5e5f6da5e9

        SHA512

        b9292d619dc2638a1df252371b100bc25ea52eba0316577cb299c7456875d629e2f8de4abe99cc77e17479665b50d1627342a712f7b7350a150f4628d27f99f2

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        323KB

        MD5

        4cb788262fa59c4be8f0b1cb1ddddc4e

        SHA1

        f3b89abb10b5bce78414e0dafb2f9bf05a0c3d90

        SHA256

        e033730b673aeaa76a67341ee025a873e1c84019d5163ba56637a8754c420002

        SHA512

        dd13cb0049e884461f9e2c9ef593c6673771d9e6ce5ad4fee7761adc63791a2e545c81299664b7e0e717d9a0a6b37a3b6bd574fbb18defa8dfa85ccf9c048723

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        329KB

        MD5

        5d7a0ba41bd648103370bdf2c0f519a6

        SHA1

        32e444544a308be732bf26c8bdde41b35cdc940a

        SHA256

        096edca798bc1fd536679bbf346dcae2c3f78488662dc22e28651b70b6d5c55a

        SHA512

        142c83e0b802b1690b6dcfc27a01eb7e34eeaed07a2d0c1693c213b0dde190dcc76eb41de999a54f921013e69b212467d0f79b8444853654663d0f6fbea403e4

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        334KB

        MD5

        fd1f85a6dc3119e0a4f5455f01012f82

        SHA1

        deb5bb2209c833386f4754fd5a073da0934f29da

        SHA256

        c6eb0c7a7581ef4c00c8b433eec62ba8ebaa2b66e285eac7c85e8762ce9a95e9

        SHA512

        b316fdcee66b3cf5de5efd7a24cac443bf3250846db8a7bb75c1c6d6528748a525d765c99b29f43a251c1660e9692342b18485b3ad03031d370da7c553f86e05

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        342KB

        MD5

        a76397571803d230d615bfc0b448d9a6

        SHA1

        0179ff1e454cab0670a9b1e1e501bdbafb103db9

        SHA256

        36c76caadd27f18f27a34580111dc749fd0d00aca0337ff0afe2cfe182f825f6

        SHA512

        b672ca36811cd1fb594b05d5e3e66e6801f837cf3b9dca85223777964aeb84c5dbc28794bcf2952fed3e67766700dd30c54847e9dfbc89cd60edf51296316003

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        346KB

        MD5

        c812dcba59ad9ceb357d53f12448361b

        SHA1

        e16adfa6329d1ba76ec4c1d6263ded6d9b95c509

        SHA256

        5aaed4905d31eeb439235ecc48ac08840e2c1ed810a22ab2095f890f1a5cb244

        SHA512

        34115bff95595ed3b16b26c8ff95d51d9840eedcdc8f2c001c0dd91a14d23bef809b081e1fbbabe41b4763f680ffbd7e0603e5b841a5968fa08bde80b4d1e941

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        351KB

        MD5

        637aba53a6cae73b5010ed0dddbcd799

        SHA1

        67430bea1a033b7dc2aa877b1058b51f08f1b2e2

        SHA256

        50a51ef31525e3227459cdff564ea3ef28497477b829c006cea3b69f6fd1a754

        SHA512

        26522d401f1626e2a42185391f8ebb99f91b08d1910e0e99fea114fc75ab56244d291f7aa1d7b2059d641e9ec00bac5c834a8e368910f4579f49daf11b70aa44

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        492KB

        MD5

        7c9581b0e6fdd05370d727acaecdff6a

        SHA1

        7e4eab534f97648779be30f8ad7d10d0f128f0d6

        SHA256

        11328f379990d9b1f2b05c6dc3ff29dd278273a8c0d94cc373acc63001a3183d

        SHA512

        eb6a65d70ca0af641c0d7c591dc066835745d4598b83e271f537b4da12b7a2101d67fdaeb518d43b49b8e23747d8ff5bc5476d314cfdff4b57ac6bd1b609ea35

        Download Submit

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
        Filesize

        497KB

        MD5

        2b8310249f00fff88c79eaea65905ed6

        SHA1

        7fc65e2e985a380d5a8b65aa38e03022b15114f1

        SHA256

        397d8d7dbbd4f08eba223dc4682b58835dbcd714f4d6a044aa0a8a310d9ff8ad

        SHA512

        5cce864f6ffdec180848e3ec941966693476f33d38b80752861ba888e9716a5d23442b8daa509f17c378ef18378464afb37c35fceb2deb65c0f789510d36e03f

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        184KB

        MD5

        970e8e60f8fd182e2ac6278ed4588bba

        SHA1

        7d35dd6e51562a666869cc367dd61d4d370b1de4

        SHA256

        a72b67f35624bb6dd17bb1ae0461940e9da9c1b5ec7b0b64c2f6bb9a566fdefa

        SHA512

        323df948503ad6811993db19ce1f14b1705f324fddac450833ee87a54b9ed9d0b522edddafd46d485b7de52fee29a2b9aac51ff89ae25c8ec0550b1afdb73a46

        Download Submit

      • C:\Windows\SystemTemp\msedge_installer.log
        Filesize

        216KB

        MD5

        0da3b73ede1eca1ac1622832aeb43dc9

        SHA1

        0f93fc90692b8700563ccddab3a179de7b1d7b29

        SHA256

        0f31a9dd82343452c5d6546c9256a605e7268824f565d6fe0490173d3c015339

        SHA512

        30fbfca70c795c332a8cf51f2433fe9a2da1ae1266e3a09818a44a0cb699bb431d50bf5c2984f64a1e58cd759508b106d5bff3db0aeb942a3bf8dddc7f213a38

        Download Submit

      • memory/1908-26-0x0000000010000000-0x0000000010057000-memory.dmp

        Filesize

        348KB

        Download