Overview

overview

10

Static

static

10

empyrean-g...in.zip

windows11-21h2-x64

3

empyrean-g...ING.md

windows11-21h2-x64

8

empyrean-g...NSE.md

windows11-21h2-x64

empyrean-g...DME.md

windows11-21h2-x64

8

empyrean-g...ld.exe

windows11-21h2-x64

10

empyrean-g...er.png

windows11-21h2-x64

empyrean-g...u0.png

windows11-21h2-x64

empyrean-g...m0.png

windows11-21h2-x64

empyrean-g...m1.png

windows11-21h2-x64

empyrean-g...m2.png

windows11-21h2-x64

empyrean-g...m3.png

windows11-21h2-x64

empyrean-g...er.png

windows11-21h2-x64

empyrean-g...on.bat

windows11-21h2-x64

8

empyrean-g...es.txt

windows11-21h2-x64

3

empyrean-g...bug.py

windows11-21h2-x64

8

empyrean-g...ers.py

windows11-21h2-x64

3

empyrean-g...ken.py

windows11-21h2-x64

8

empyrean-g...ion.py

windows11-21h2-x64

3

empyrean-g...tup.py

windows11-21h2-x64

3

empyrean-g...nfo.py

windows11-21h2-x64

3

empyrean-g...fig.py

windows11-21h2-x64

3

empyrean-g...ain.py

windows11-21h2-x64

3

Analysis

  • max time kernel
    565s
  • max time network
    845s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-en
  • resource tags

    arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-02-2025 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    empyrean-grabber-fixed-main/install_python.bat

  • Size

    686B

  • MD5

    f30718a354e7cc104ea553ce5ae2d486

  • SHA1

    3876134e6b92da57a49d868013ed35b5d946f8fd

  • SHA256

    94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

  • SHA512

    601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Score
8/10
adwarediscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 3 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\install_python.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
    • C:\Windows\system32\curl.exe
      curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
      2⤵
      • Downloads MZ/PE file
      PID:3316
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkVGNDBBMjctODA2Ri00QkZDLTlDNjMtMDZERThGQjU1RTEwfSIgdXNlcmlkPSJ7NUQzN0Y1QzEtNEQ3RS00OTdBLThDNDEtQzFEMTk5Mzk4MTc3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjZDMzRDMjktN0QwMS00QUIyLTg1RTAtRDZBRTU1Q0QxRjc3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjEzMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI4NzExMjU0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NTk4OTcwMjEiLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3228
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4088
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff63586a818,0x7ff63586a824,0x7ff63586a830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4044
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff63586a818,0x7ff63586a824,0x7ff63586a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1524
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x1dc,0x248,0x7ff626eba818,0x7ff626eba824,0x7ff626eba830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1360
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x1e4,0x220,0x244,0x1dc,0x248,0x7ff626eba818,0x7ff626eba824,0x7ff626eba830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1568
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff626eba818,0x7ff626eba824,0x7ff626eba830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4632
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkVGNDBBMjctODA2Ri00QkZDLTlDNjMtMDZERThGQjU1RTEwfSIgdXNlcmlkPSJ7NUQzN0Y1QzEtNEQ3RS00OTdBLThDNDEtQzFEMTk5Mzk4MTc3fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBMEI5MzQ0Qy05M0MzLTRBQ0YtQkM3Ni03N0VFREZEOEEzQjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC43MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InszMTc3OTYyOS04RjQ3LTRGNDktOEVCNC1CMzlDMjhCNDE1OUR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDMxNjM2MTc2OTI2MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg5ODE3ODQxMyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODk4MTc4NDEzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NzM2MzAzNTg2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk3MTI5ODcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9RSUyYm9HVm03VUpxWFMwSGxVNXhJdmNncTJ5RTd6Z2lPQ3BpSU13SiUyZkhvc09OOXNHUnRuZ0xVYyUyYmtXMTJxWmolMmJOaVkzNnlyZkIxUzFUaGdkNzF5ZUFCZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIxNSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTczNjMwMzU4NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk3MTI5ODcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9RSUyYm9HVm03VUpxWFMwSGxVNXhJdmNncTJ5RTd6Z2lPQ3BpSU13SiUyZkhvc09OOXNHUnRuZ0xVYyUyYmtXMTJxWmolMmJOaVkzNnlyZkIxUzFUaGdkNzF5ZUFCZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjI3OTM3NDciIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjQyNzg1OSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NzM2NDU5OTUxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxMjk4NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1FJTJib0dWbTdVSnFYUzBIbFU1eEl2Y2dxMnlFN3pnaU9DcGlJTXdKJTJmSG9zT045c0dSdG5nTFVjJTJia1cxMnFaaiUyYk5pWTM2eXJmQjFTMVRoZ2Q3MXllQUJnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iOTEuODEuMTMwLjEzNCIgY2RuX2NpZD0iOSIgY2RuX2NjYz0iaXQiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjQ4NzUwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk3MzY2MTYwNjciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTc1MDUyMjk0NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAzMTQyOTI5MzciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIyNjcyIiBkb3dubG9hZF90aW1lX21zPSI0ODM4NDQiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTYzNzciLz48cGluZyBhY3RpdmU9IjEiIGE9IjIiIHI9IjIiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InszNTdCMUIzMS04MjAxLTQ0NjQtQThFOS0xQTkwMkRCOTQxQjd9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC45NCIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezY2QTU1MDE1LUIxNzQtNERDMS05NkNBLUFGRUJFMUY1NjM5OX0iLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{636E952F-B999-4A0A-A374-3EEA88907D66}\EDGEMITMP_DFF84.tmp\setup.exe
    Filesize

    6.6MB

    MD5

    b4c8ad75087b8634d4f04dc6f92da9aa

    SHA1

    7efaa2472521c79d58c4ef18a258cc573704fb5d

    SHA256

    522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

    SHA512

    5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

    Download Submit

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Filesize

    3.7MB

    MD5

    3646786aea064c0845f5bb1b8e976985

    SHA1

    a31ba2d2192898d4c0a01511395bdf87b0e53873

    SHA256

    a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

    SHA512

    145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

    Download Submit

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
    Filesize

    654KB

    MD5

    076466e7a0cc108bd74f5f372d30b639

    SHA1

    adb1d39ab540c86389a5499a2fddf5ed73e3dc5b

    SHA256

    a9814fe2d79a6d379a7e2786aadf95de75eb60ba22482398f0fb77311117821e

    SHA512

    341fbc95ba09e0439d8ecb4bf7b40711822ff4180d5dabc9a296665a2c36e06585070e95fbe4adfdb126065a5789e6dab65b187f0fc9e73e31d20d5e08d5af28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_do4nog0x.uvi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    71KB

    MD5

    56994a0ec11054530fa37f5ecaadb749

    SHA1

    97e58125c73004bf21856d503dc34a08d172586e

    SHA256

    47faa1ffafbb5e287adf908330cb9179a7fb31fc553faf24ae6043f930f8e130

    SHA512

    1c8ed2cf7b7c8108014a5cc53826f3dfb855074aa9953cca63a655d26708a7e220fe8ebc12d26598a1f01e9e752698ae4000252c2920ceba1484ee9daf920232

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    103KB

    MD5

    5230b055059443cc107c0be339f40cff

    SHA1

    de9847121950097909803e233754ddfde63a49ca

    SHA256

    9c2902cfbcdab2a2dcdc10280f1618e0d913615c85f946deeb5e0805082c2a9a

    SHA512

    98c3cf624086cad3aaa003687144df936b3bbfff774c7e7040b37a29762891358999d6b39bfb3b52c4ff431004615e5c5864ed63522e6c092ae9abdb318edd11

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    104KB

    MD5

    14d415060802925c493c433f2650204c

    SHA1

    354fce585bbbc893657ec3fbe35c30f5afda0c83

    SHA256

    2f99444fd627f902dd42caa8a572ae7529a326ddba4b10870f52374f4b9e107a

    SHA512

    cc41becd525bd79e364d2deef5f0598171af49b1559262d6721f5b985241837aea51251a64ff4b1c00e51dfdcbad485cfb982b4fbe424dbd4f071657174cf05b

    Download Submit

  • memory/2000-10-0x00007FF945C50000-0x00007FF946712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2000-15-0x00007FF945C50000-0x00007FF946712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2000-12-0x00007FF945C50000-0x00007FF946712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2000-11-0x00007FF945C50000-0x00007FF946712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2000-0-0x00007FF945C53000-0x00007FF945C55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2000-6-0x0000023D6C650000-0x0000023D6C672000-memory.dmp

    Filesize

    136KB

    Download