Malware Analysis Report

2025-03-15 03:38

Sample ID 250212-2zed3szjfk
Target empyrean-grabber.zip
SHA256 795174a48bb492a185ebab88bde39c8ff8b193c3729602a5a8f9425baec7ea1b
Tags
discovery empyrean adware persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

795174a48bb492a185ebab88bde39c8ff8b193c3729602a5a8f9425baec7ea1b

Threat Level: Known bad

The file empyrean-grabber.zip was found to be: Known bad.

Malicious Activity Summary

discovery empyrean adware persistence privilege_escalation stealer

Empyrean family

Detects Empyrean stealer

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-12 23:00

Signatures

Detects Empyrean stealer

Description Indicator Process Target
N/A N/A N/A N/A

Empyrean family

empyrean

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9bbe77c77e5045db5fa20ff4c55f47cd
SHA1 bc28dcebb154ea926e808f12fe017e370497da8c
SHA256 82d83f4bf5ea0a91638cc5c0a0b1daebde711a76cb074d7ee5e57dfa29ff70ef
SHA512 c6902a22982428513df5c142264d2c0b282f0a89da25b0d3460952495fa0a3f644c351cef46685f2e8137d85b5dce0ee969f48fd628f91b7dd0e899d0f356e3c

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250207-en

Max time kernel

95s

Max time network

133s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTBCMDFDQ0UtODEyMC00M0FBLUFEMzgtQTIzMDlENUM3QzFFfSIgdXNlcmlkPSJ7ODNGODAzQ0QtMDkxMy00M0JGLUIyMkQtNDgzQUZBNUU2MzM5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDg1RTg1MjEtRDQyRC00OTVGLTkzMzktNTI1NjNFRTNGRTdGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDEzNDIzMTQzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.85:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20250207-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

101s

Max time network

146s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODRCRUVERkUtNUNDRS00QUQ2LUI0MkEtMkEzMzYyODA3RDU2fSIgdXNlcmlkPSJ7ODVCNTEzNkItM0RFNS00OEQzLTk2MkQtQTcxQzlEMUI2ODcyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDRBNEY0QjAtMTg1My00RUM1LThGNDYtM0I1RkE4MzYwRUY1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTg4MTQxNjE4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.42:443 www.bing.com tcp
GB 2.18.66.42:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

113s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0U3QjRBODMtMDE1RC00MUQ4LTgwREYtOEE2MEU0NUZDRDA3fSIgdXNlcmlkPSJ7NDdEMThCNkYtQTcwNi00MTcwLUFEMEYtMDBGNUQzQTMyM0ZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTYxRjlFOUEtQzg5My00OTMwLTk3QUEtNUQyNUREM0M0NTc3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDkyNjM5NTkyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2c86be9977bdc47257756134c7e8ef81
SHA1 044a3daa9022dcc0b9fd752e066d44d242056f6e
SHA256 80da05b79fc11a2c6e25f869fe9a0882632531bf04b88e1e6a10f18b20e65e2b
SHA512 4b53737f78db94116877505bfdd634a658b18fd3a8c03b3e457cd2a35a831b019252912d11b5034e1ed0ea28b26efe07993fdca83ad0b611d95f0c3309bb3403

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

106s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0ZGOUFCODAtQTlCQy00MUVBLTk2MDAtNDVCREJERkIxOTZBfSIgdXNlcmlkPSJ7MDg2MkVFRTYtQzk5MC00RkFCLUIxMDItQzM3MUI0QTU0MzE2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjQwNjI3QzAtNjQ4QS00OTBFLTk1NEQtQTZDOTAyNzZENTlBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDc2OTUyNjY5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

98s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjIzMjNGRkItMzQ1RC00REE5LUFDNTQtODg4NUQzREJFQzkyfSIgdXNlcmlkPSJ7MDg2RjhGMzEtQUQ0NS00OTY4LTkxNkEtNEFCNDA1M0U5MTA1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDMyMDc5RDEtMkEyNC00NDk4LThFOUQtRDJDNUQ3NUNDRUQwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTk4MDUwODg1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.162:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6a5bc2d304cf0a326b77c8e441821fe3
SHA1 33473ae32eb83f68dd12eb502cc739bc66e16c20
SHA256 c20df9e5d89132b258a23f202d5c3e20ae4e3475764f0f44ecfd32ae81360948
SHA512 419318e1ff02bb11b39e340cffc8a5ce1af0fc084b19d11f5d6b761e37ebf5d2fa642a01bc6aad5b9c08222f8aad1ffa10d56c0fdd68bdfbc374dd4ad58d57cc

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

147s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUU5MDA1OTUtMDI5My00NjQ4LUI2ODYtRTdENEZFOEJDMUI1fSIgdXNlcmlkPSJ7MUM4Nzk2NTctRjAyQy00MjZCLTg3OTktNzU4NTA0RjQ4NjFBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDY0MEVDQzItOUJFOC00RDY0LTk0QzYtQzg0REUyNDAyQzM0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTg0OTA1ODAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.41:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 163f1ea6855142274c57a899ffe252a4
SHA1 61ba26c29c34982da5f95c86065d4b5b60516711
SHA256 58bbdd01cff28a0731ea5e19dcbb3c59b8abf3585d88b10c982067b6ce081745
SHA512 22fb1835f99475060b0c58080cde53cf03e20c53e43ed690af5c78370dcf569d0d06f97412de2586551c2cfb911935ca3e7553f2d9e652628c76b01928d689ad

Analysis: behavioral19

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0ef375bf6f56668d33030be5642f9744
SHA1 1e474c993b168b126e146c6685dc63e2450d7620
SHA256 57879e185e7864abec773cc42a6ea7bfb40129174a60b66107bebf7d06b816c1
SHA512 f0eb6fd55308af48783e780d4223fc7b53c00ce1c124fc9ae7d688583cdc78c563f36ad483994421e17147084c42190a30aedb6a29783464711db50878ee157b

Analysis: behavioral20

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

148s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzE1MjhGMzUtMUQxQS00N0ZFLTk1ODEtMDI0NjY0QTE2MTZGfSIgdXNlcmlkPSJ7QUI1MUQxMTctREFGRi00RjA5LUIwQTQtODhERjU1RjAxRjRCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDQ5QTlEOUQtNEUyMC00QzMxLTkxNDQtN0NFODI2ODg1REZEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODEzNzM1MDQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3c4573c2bcf85ae91cbb11dabf0184ea
SHA1 c78ccbb3466b1767dfa18c254d5b7248a69f9b9f
SHA256 7220abddf85f1ae1e2f0445a0f8fcbd7471841c2ca6dd49145571191e24efa24
SHA512 3e33e17382e418d7fd5196b05eb0af508ca09d81b331ccc51fb9dde006a0b5899b04b172cb10c3d11eb6ddc85ad29551745a709849e7431edc849b1d7e150114

Analysis: behavioral22

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

94s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTgxNUREQzUtMjUyRC00MUE0LTkxNTctREI2MkQ5QUZCMjU1fSIgdXNlcmlkPSJ7MDU4NzFDNDgtQzUyNC00ODA5LTlENzQtMjBFMEU1OTI5OEUzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7N0MxMEZBQTEtRDBBMC00MjcwLUJGMjgtNjQ5QzdFN0Q1RjI1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDU1MzU1MDYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 104.86.110.98:443 www.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20250207-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5f7596cc93c00659821f213bd50ea0b4
SHA1 3c4850c79d1d5f2ca3b48f83012b4f4ff122ae37
SHA256 5e452dd0bf26795901c15ceed58c70c16ca84b524734c2109250768b97c1754b
SHA512 a8f7c73a74dec7a3e0b74cb625250a52675c32d23d14e3a83e24c2b6bc0c3a378068981810f3f5eb1cb6b6af9bb3e9917d552e7f9839cf5d34017b5ddcce0b03

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240729-en

Max time kernel

102s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 abebd1de09728cf1ccdda290bc3fc06a
SHA1 0ffdb489b5003e4833eb2c007987beefbdc2d474
SHA256 d78f2da93929e6f7205c3353f4ab5020a1783a210093a6a5715b127e875976fc
SHA512 921a47ed05a43da4fd00adc91d92ee736b1b0cb76cade9d0c28657c0d7c77e0a3f925d18ebb23f6b3c02a4400151a9cc843a6207341deed17fa49db3e27fd34e

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5b6529bb6ec2a7aee87c4508eb13a1cb
SHA1 8c7773b92c67fe37498fe5e69fec29797ef3a10a
SHA256 1d9a2ce5627cccb106301321bff461e560ba447c39e0a78fc0d776a309d8d6b9
SHA512 25dafd88264cd044942a63992851f07fe1d92a48f3f87070317cb2cf88c91c1ff5ec763c41371fa5a8623f965b1ed38f55fbf3cf873f07896fe509309cbe0bfb

Analysis: behavioral25

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c4a334c68ff45ebdcd5dda419f213bdc
SHA1 15bb212984ff0075c7e055c31975566c9398c5e4
SHA256 6ba37b4ef87ce0ff5bd804809b4b3b2008909494facb70d487e5ff34743f764a
SHA512 0eb3fa6861f47c4abf9e9c7a970c4ba63aa12430aa8812de6f253bd3cbcb474e9af3fce6d095ac5d2a2860381820a0f4dd8f7ae1264ab0226e076bd979bd7a83

Analysis: behavioral26

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250207-en

Max time kernel

94s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0M4NkZGOTctOTU5Qy00NDgzLTgwNzktMTVBRTE5NjY4RjZGfSIgdXNlcmlkPSJ7NzZBQUYxRDAtRjg4RC00RDBBLUE4M0QtRDFBMEFDNEQ2OTg1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDhBREE2RjMtRTY4MC00NzdELTg3N0YtOTExODNFOUI1ODUyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQwOTE2MjM2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 104.86.110.98:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.181:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20241010-en

Max time kernel

103s

Max time network

18s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 fc54c69ab3d5b113fcb3aba809c901c4
SHA1 121dd760876e7c893eec5eff5db0e2917dcaed0e
SHA256 272d9a29aad0e133251b05db92527c833d3e8d8c7a46c72120cf8d95143c0cee
SHA512 2d3b4c8cf24af90734de0fad0a855836a7a0a4466fe0525dc0f55d1402e289f3c8f27546e5e025d05d350b2e272837977196ef365c5727e13d275a4dd235e2e1

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250207-en

Max time kernel

95s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUQxNTkxOUEtNjg2RS00NjMyLUE1M0ItRUUwM0UxNUFFRkJCfSIgdXNlcmlkPSJ7QjZFNkI2NkEtMkRCQS00NUY2LUI2REEtNkI5MUNGNjMyQjIwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUE0MjQyMTUtRTc5Qy00NTM2LTgxQTMtODczRjQ5QjhDQ0UxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODY5OTMwOTc2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
GB 2.18.66.83:443 www.bing.com tcp
GB 2.18.66.83:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250207-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEQ2QTU1N0MtMkRBNS00MjlFLTk5QTQtQTc2MjI2QjM0QkIxfSIgdXNlcmlkPSJ7REQ4QTNDNjQtRkYzOS00OEM5LUI5MjQtODg2Q0IwRjU0RkUyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjM1QjAyNkUtRjZENy00MUVDLTkwRTItMEI4RDM2ODE1MTA1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzI5MjYwNTQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250207-en

Max time kernel

141s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EdgeWebView.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fa.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\resources.pri C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\MicrosoftEdge_X64_133.0.3065.59.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Staging C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\el.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ta.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ar.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fil.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Fingerprinting C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho_64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Stable.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\eu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Extensions\external_extensions.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Dev.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Analytics C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Extensions\external_extensions.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Extensions\external_extensions.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\et.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-PT.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Analytics C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxil.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\elevated_tracing_service.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Social C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\es-419.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\stable.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ja.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vcruntime140_1.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\PdfPreview\\PdfPreviewHandler.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,11" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xhtml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\wwahost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 5092 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 2816 wrote to memory of 5092 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 5092 wrote to memory of 2572 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 5092 wrote to memory of 2572 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 5092 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 5092 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 2592 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 2592 wrote to memory of 4944 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe
PID 5092 wrote to memory of 1320 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 5092 wrote to memory of 1320 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 5092 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 5092 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1320 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1320 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 5092 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 5092 wrote to memory of 4788 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4292 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4292 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4788 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4788 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODE3NEEyQ0EtRjJFMi00MTBGLUI5QzktQTcxMkY1MUFBNTVGfSIgdXNlcmlkPSJ7RDU1MzY4MzUtNDhBQi00N0RFLTgxNkMtODFFNDBFRUY4Nzg1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzJCMjhENTItMkRGMi00MDcxLUE1NkYtRENCNUVFMkYzRDkyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODM1NjcxNzYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff70c516a68,0x7ff70c516a74,0x7ff70c516a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff70c516a68,0x7ff70c516a74,0x7ff70c516a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbc36a68,0x7ff7cbc36a74,0x7ff7cbc36a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbc36a68,0x7ff7cbc36a74,0x7ff7cbc36a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbc36a68,0x7ff7cbc36a74,0x7ff7cbc36a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe

"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODE3NEEyQ0EtRjJFMi00MTBGLUI5QzktQTcxMkY1MUFBNTVGfSIgdXNlcmlkPSJ7RDU1MzY4MzUtNDhBQi00N0RFLTgxNkMtODFFNDBFRUY4Nzg1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3QkRBRkEwOS1BMThBLTQ5MEItQTI3NS1EQjk4RjU2MDNGNTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjUiIGNvaG9ydD0icnJmQDAuMTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0E3N0FFN0UtQkVEOC00RTA1LTg2ODgtRDUzQ0RGMDlCRkRCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iNSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDI0ODM2NzgyMjU4MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg1MTE0MDgyOSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODUxMTQwODI5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTE5MTEwMTA2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAwMDYwNjImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9ZU5EaFdPcjhNeUVRSGZtVVo3UkxPc3BLM2hzdEJDalZMZlh0YTRic3lMdmR3NzAzMTlyJTJibFJxWklEVEhzVVloRHRoNjRaSEV3U0N4MnIwU2thN1NzZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MTkyNjU4NDIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMDA2MDYyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWVORGhXT3I4TXlFUUhmbVVaN1JMT3NwSzNoc3RCQ2pWTGZYdGE0YnN5THZkdzcwMzE5ciUyYmxScVpJRFRIc1VZaER0aDY0WkhFd1NDeDJyMFNrYTdTc2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIGRvd25sb2FkX3RpbWVfbXM9IjYwNzM0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MTkyNjU4NDIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUzMzMyODM4MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjE5OTEwOTkzMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijg5MSIgZG93bmxvYWRfdGltZV9tcz0iNjY4MTIiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjY1NzgiLz48cGluZyBhY3RpdmU9IjEiIGE9IjUiIHI9IjUiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MTNBQjhDMy05QkQ3LTQxMTAtOTlERi1ERTk4MjNFN0RGMTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNSIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTBGNjIyOEEtMjhEOC00OTk1LUFGMUQtQjIyQUFENEVDNUU5fSIvPjwvYXBwPjwvcmVxdWVzdD4

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.130.134:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 www.office.com udp
US 13.107.6.156:443 www.office.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 res.cdn.office.net udp
GB 96.17.179.135:443 res.cdn.office.net tcp
GB 96.17.179.135:443 res.cdn.office.net tcp
GB 96.17.179.135:443 res.cdn.office.net tcp
GB 96.17.179.135:443 res.cdn.office.net tcp
GB 96.17.179.135:443 res.cdn.office.net tcp
GB 96.17.179.135:443 res.cdn.office.net tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp

Files

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{BA336DFB-86DD-4A5E-B68D-E2A30F30D859}\EDGEMITMP_68535.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Program Files\msedge_installer.log

MD5 821f0f32f660fcd556fa2c93c1631cbe
SHA1 5a273f3bf09707331a11018ad3bf404ac9359256
SHA256 eb7766f2f8023119f984219d98d92fe9ddfa79c1a75ade8db83dc992aa57e49c
SHA512 11e44024da83bb14fe476255d8731a61a020623e88ee6714c98f5da09884ccdfb144ce39db3608ceed7b46f07c7897a7a4ad8017d8c01bc91e8b4e46fb2ce25c

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 b37ec2667f1451d16c64c6fccc067b6c
SHA1 33cf8988c70651d2a40e2324e5233097c95f6953
SHA256 1a030caa8804202e3323ba4466878498deabe0480242af40d8cb99e47c3a8f80
SHA512 c3abbec00c268158f633e3706f49f4ac9291855e18650eaa01ebf6593e863eed202710b07c975142729fa6f7dea995917b03d70f130b22b3ce192753962b0b9c

C:\Program Files\msedge_installer.log

MD5 2daeb715e3718dcdb0e0aac1d76be819
SHA1 021e8906544374bbfbda6bd0f3bd00a5db3ef15d
SHA256 4635b2c033612d5a426d800c6202133539c2cbc4530c51b84f75923c280590a0
SHA512 7a61930ccc682ac49bb5ed6a978febd93e225c209e17d355b990a7626641d6515d875a0d6c20d96018aa2eca2daf9a3ae75abf41f4814a51a5d370ec6cc66307

C:\Program Files\msedge_installer.log

MD5 f1b5abaa3a6a634980eafed8d112227c
SHA1 2e3bbdfa07ca03c60de2ba60a66cb323bccec7d9
SHA256 09fbc32a7924535fa66f83c0788f452a8b1086d3f3fa597151d59a785de7d1f1
SHA512 40c57bc32db89f2354a327b99bc08e110fe20aebde4a02c1cb35bcf3301637b6d744dc5a6d961ba68c3fca9864e6e7afc25384e105756b48a0ee42e33a769cc7

memory/4184-71-0x000001A586010000-0x000001A58601E000-memory.dmp

memory/4184-73-0x000001A5A0550000-0x000001A5A0558000-memory.dmp

memory/4184-72-0x000001A5A0520000-0x000001A5A052A000-memory.dmp

memory/4184-74-0x000001A5A0800000-0x000001A5A0A49000-memory.dmp

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 c626a0f38dc846c18ea6f70fb40da783
SHA1 49bb3162f05484c8a1483f142906496a0fa2e030
SHA256 d888008ca8c27c2653a60e2ef20676f93b9285007f9de81c15021d39f5f1e70f
SHA512 bbbdd9a100b575c78a4a4bc4fe805e14dd95083a5aa6cb914f6acc3fa7527ce2aa1b19a2b44473b940aa151a9589fecfe0584ed0121aeb12acae449833e5eb1c

Analysis: behavioral23

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win7-20241010-en

Max time kernel

103s

Max time network

18s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a139be0135a8f02ef35de500a504d763
SHA1 7db3dc5089232061c7703c3ce93d7464e81032ec
SHA256 f4ac7353f76e9d5f654c2e099423930a442a556970ace9b5fdc8615c5357b907
SHA512 f8ab3e9920c0bbc4760efcef5b5baba4f29378083f6b995a009044c4e4288fe332404a9dc4e7f3eb3b612db906feaff7f98909489917d85803d5bcf705cb934d

Analysis: behavioral24

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:03

Platform

win10v2004-20250211-en

Max time kernel

150s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\el.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bg.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ca.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ms.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\el.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ga.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\LICENSE C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxil.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ca-Es-VALENCIA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ka.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.exe.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Edge.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\WidevineCdm\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bs.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\am.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\show_third_party_software_licenses.bat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\concrt140.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr-CA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedge_200_percent.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\d3dcompiler_47.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.exe.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Social C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\v8_context_snapshot.bin C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EBWebView\x64\EmbeddedBrowserWebView.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ka.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gd.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\tt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_100_percent.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\id.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1540_13383874976970138_1540.pma C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\stable.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lb.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\v8_context_snapshot.bin C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fa.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,11" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xhtml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\EBWebView\\x64\\EmbeddedBrowserWebView.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\wwahost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 3928 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 556 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 556 wrote to memory of 4148 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 556 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 556 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 4064 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 4064 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe
PID 556 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 556 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 556 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 556 wrote to memory of 1540 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 556 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 556 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2956 wrote to memory of 4288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2956 wrote to memory of 4288 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1540 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1540 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1648 wrote to memory of 2124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1648 wrote to memory of 2124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjJDMjNENUItRUZDRS00RDc0LUExRUQtNUM4NTNDN0VGQUU3fSIgdXNlcmlkPSJ7ODRFREFCRUQtODM4Qy00M0Y1LThGREMtRjRBMkI2RDhBODNDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjU0RTZENkYtNkM5QS00NzE0LUE5Q0QtQjczRDlBQjI1MzFEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTcyMTY0NzA3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff74f056a68,0x7ff74f056a74,0x7ff74f056a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff74f056a68,0x7ff74f056a74,0x7ff74f056a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78f9f6a68,0x7ff78f9f6a74,0x7ff78f9f6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78f9f6a68,0x7ff78f9f6a74,0x7ff78f9f6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78f9f6a68,0x7ff78f9f6a74,0x7ff78f9f6a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe

"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
GB 104.86.110.115:443 www.bing.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.21:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 www.office.com udp
US 13.107.6.156:443 www.office.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 res.cdn.office.net udp
GB 96.17.179.150:443 res.cdn.office.net tcp
GB 96.17.179.150:443 res.cdn.office.net tcp
GB 96.17.179.150:443 res.cdn.office.net tcp
GB 96.17.179.150:443 res.cdn.office.net tcp
GB 96.17.179.150:443 res.cdn.office.net tcp
GB 96.17.179.150:443 res.cdn.office.net tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp

Files

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{AA5D2B09-62C2-4F51-BD71-935CA3E4036E}\EDGEMITMP_C955E.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Program Files\msedge_installer.log

MD5 9c1f3c2f8f329c4c59ce60833e6384a8
SHA1 cfd568309c77cd382d2a4d0c1607dce82a6c4271
SHA256 51237b9942d20a13e075407a6852cb22fdcf4a9ca91739d0bf09c72388a2c1c2
SHA512 aa7918fd652663b3c78f5c96b5d3e326e17efb41d0caaf9ec07c440cb0a18d567eb5e799720ae435147e6e54f3504af6b07c66b87d4f0707633e8461910da598

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 2e4460605479edf5f4dce80314e0b9e1
SHA1 ed490bf04e148c3f70845044fbb6aceefcf6cf3a
SHA256 93d390a5e1d95d18652272ad6df3884faff30bb6dda8389fe65c8f587a5485a9
SHA512 d2eccafe424808474109004cdb0592fd826226993c2cc5b60d047e17436b453f43cf6213e161cbe53de360fd790bc61c68ca0d44e54ba5a8ca660028ad012f46

C:\Program Files\msedge_installer.log

MD5 ad4156114367093588981a64f243840d
SHA1 4af9aeec7b7c2838401455a1507f5c55f138c997
SHA256 91ff0c1c21fcc272b75f2765e45b8e8d42ff962d4ebca43fef3793d9df82df03
SHA512 b2a0e40edba0640f739c6ac8aa330a0d39c6f6bb498f917320e8488d0c901c244e95d3d04ff5dee66299d5fd75c087e2c1ee627b81d3f3ab6316908659b6c5d9

C:\Program Files\msedge_installer.log

MD5 b000a5f98b4a66bd032dffdc90cd7540
SHA1 4000d1a3712c67e56b49b0377496a0807931efae
SHA256 ffdc026913ce4f1dfe812fe1a85845513037617cfab1ad8864511b1450753aaf
SHA512 a3794ff1f2033685728587d627b896181e2fad58b3717c2a04922809782d7d4fe0743e6d6a72dc650ccff7399433f9eaf734dcccf34565c3c80325371896b36e

memory/2188-71-0x0000028A3FDC0000-0x0000028A3FDCE000-memory.dmp

memory/2188-72-0x0000028A59F90000-0x0000028A59F9A000-memory.dmp

memory/2188-73-0x0000028A59FC0000-0x0000028A59FC8000-memory.dmp

memory/2188-74-0x0000028A5B600000-0x0000028A5B849000-memory.dmp