Malware Analysis Report

2025-03-15 03:39

Sample ID 250212-2zf8nsznaz
Target empyrean-grabber.zip
SHA256 795174a48bb492a185ebab88bde39c8ff8b193c3729602a5a8f9425baec7ea1b
Tags
discovery empyrean adware persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

795174a48bb492a185ebab88bde39c8ff8b193c3729602a5a8f9425baec7ea1b

Threat Level: Known bad

The file empyrean-grabber.zip was found to be: Known bad.

Malicious Activity Summary

discovery empyrean adware persistence privilege_escalation stealer

Detects Empyrean stealer

Empyrean family

Downloads MZ/PE file

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-12 23:00

Signatures

Detects Empyrean stealer

Description Indicator Process Target
N/A N/A N/A N/A

Empyrean family

empyrean

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

98s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\LICENSE.md

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\LICENSE.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzVBNDQ3NkYtNDUyNi00NjA5LTgxNTgtOTQ5QzhDMzhDMDcwfSIgdXNlcmlkPSJ7OTAzNUIyREItQjBEMS00NDY5LThFMjktMjhBNEQ0OUM1Q0NGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUI1NEJGMkEtOEU0QS00RUJGLTk2OUYtNjkyQUQ4NjBCRjA4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDI3MTc2MDY4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.170:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

93s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDI3NDY1RkMtQzE5MC00MjY2LTg0RkQtNUIyNURCN0FDQTIzfSIgdXNlcmlkPSJ7ODRGM0JCQ0ItQjFDQS00NkU1LTgyNkYtQjJFQzc0QjY5ODRBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7REE2RjAxQTYtRDY3NC00OUZFLTkzRjMtQUI2MUJFRDJEQzg1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTA3MzgyMDU3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
GB 104.86.110.120:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

98s

Max time network

133s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em2.png"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em2.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM5RTIwMDYtMTQ1NC00MjcyLTk2RTItQzQyOEY1MzE2ODY3fSIgdXNlcmlkPSJ7OThFNzBBODctRkVFQi00RkQ3LUEzNkYtQTY1MkY2RUMwMDAwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkM1MTFDOUYtQjlFMi00N0EwLTgxMzEtOTU2MUJDNTEyQTBCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjI3MjcwNDYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 104.86.110.90:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.130.134:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

92s

Max time network

151s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em3.png"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em3.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjE2Mjc3MUItMzUyMC00Nzk2LThDRTEtMzNEMTQ5QUMyQzY1fSIgdXNlcmlkPSJ7OTVCOUI1OUYtRjlDNS00RDZFLUI3QjItMkY3ODE0QkY2MkFBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUUwNkE3NjYtOTgxQi00MDY4LUE3OTctRTBFMUE0RkMzQUE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzI0MTk2MDg5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.130.133:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

95s

Max time network

135s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\footer.png"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\footer.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODlBOTMxQkQtRTc1MS00MUE2LUEyNTYtMzM4MjJDMUNFNTIwfSIgdXNlcmlkPSJ7ODYzOTFFOTgtQzA1Qi00NkMyLUJCNUItQzlERjE5MDk4NzlGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTJBOUMyMDgtMDI5Qi00RTJELTgxMzMtN0FDMTIzQzZCMjZBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzg1MjkxNDM3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
GB 2.18.66.179:443 www.bing.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

93s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjJCMzJGMzYtMkEwRC00QTdCLTk3MjYtMkQ4RTA5OEEzN0E1fSIgdXNlcmlkPSJ7ODFBNjI3RUYtMDk4Qi00RTAzLTg5MEEtMjRDMEQ5QTUyMDAwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODQ4MENFQTctQjQzOS00ODFGLUE1RDYtM0ZEMjNDQTM5NzIyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU4NzgwNzc1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 52.252.28.242:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.85:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.github\ISSUE_TEMPLATE\feature_request.md

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.github\ISSUE_TEMPLATE\feature_request.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTdEOUQ5MDctNkM3Mi00RTlGLUIxQkMtQTZGMTREQTM3NTVCfSIgdXNlcmlkPSJ7MUY4MTM2NDgtRENEMi00M0ZGLUIxQTMtQTYyRDVGQjZGNDY2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjhFNDlCNEUtNkUyNS00QkFBLTkwRjktNjcyNDk4OEUwNDhEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDExMTkzNTQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.gitignore

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.gitignore

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUEwRjY3MzQtN0MwQS00MDgwLUI3NzUtRDExMjhFOTI3M0MwfSIgdXNlcmlkPSJ7Qjg4NkIwM0ItMzVFOS00OEZDLUIyQTgtQUU0NDgwOUExNEJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDA4RDFDRDgtMzVFNi00QTM5LUE5OTYtQkE1NkIxNUUwRkRBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzYwODA3NjQ5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUZCNzkzRTctM0YzMS00Q0M4LUJBMDYtMjIwM0U3NUFCMTJEfSIgdXNlcmlkPSJ7NERCMzJDNjMtNzQ2My00REZCLTg2QkYtNERBMTM4MUE3RkJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTFBOUE5MEEtNzM3Mi00MDg0LUEwODUtMUJEOTJBQzUxQTY5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQ1MDY2MzE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.56:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.182:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

95s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzEzRTY1MDgtNTMxMC00NTBFLUI1NEMtQjExQjYxRjU1QkM2fSIgdXNlcmlkPSJ7ODk2MkJBRDItNzIwQy00MThGLUFBRjAtRTE4MTYxQzU5RTcwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDJCMTMzNEEtNDgwRS00NzJDLTk4RTUtQkYwNjMwQjYwRjc1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTc0MjE0MjUzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 104.86.110.90:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
IT 91.80.49.85:80 tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

149s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0E4REM3QzMtNTFERS00QTU5LUIyNTItQTU3RDIxOEVGNkM4fSIgdXNlcmlkPSJ7MEFGNjEyMzktQjYwQi00RjcxLUI4QkQtRUVCQzcwMTIwOEJFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTNDQzg5QzAtQUVBRS00OTA1LUE4RDUtOUYxQzZBMjNGNzlCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTk2ODY5NzAxOCIvPjwvYXBwPjwvcmVxdWVzdD4

Network

Country Destination Domain Proto
GB 2.18.66.170:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

120s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjM1OEJGNkMtQzZDMi00N0IxLTg0QTAtRTJCMEYwOTBGNEYyfSIgdXNlcmlkPSJ7MEY4ODQ1QUUtMkUyQy00MEFDLTg2NTMtQ0MwMjFDNkVGQUM2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUU0RjJCOTgtMzNCOC00QUNDLTlCNkMtOUU2QkE0NUZGMkJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTIxNTEzNzQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.180:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

133s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEZBMTQ5M0EtN0ZBOS00ODE0LUJGRjAtMEU4NUVFQzU0RDM2fSIgdXNlcmlkPSJ7RDIzODRCQkEtOEI5My00QjJBLUFFRTktNkIwOTBCOEQ5RDA0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjU3RDdEQkQtNTNDRC00MzhELUJEODctQ0M1QjkxMTE1NzJCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTY3NjA4MDQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\empyrean-grabber.zip

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\empyrean-grabber.zip

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjY3MkI0MTQtOTI4My00RjEzLUExQzItMDZBNENBRjlFMzA5fSIgdXNlcmlkPSJ7N0YzMUVFMzAtRkMzNS00QjM1LTlENzItOUUwNzRCMTdEMEE2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTRBOTI3NDYtRjgwQi00QjA1LTk3QTQtQzJBMzVEM0Y3OUQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDY2NDU0NjkyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\empyrean-grabber\build.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 52.252.28.242:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

102s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.github\ISSUE_TEMPLATE\bug_report.md

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.github\ISSUE_TEMPLATE\bug_report.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkU4M0M4MjgtNzY5QS00OUZELTkwNkItOERCNzYyQTYwMTg5fSIgdXNlcmlkPSJ7QUU0QkM3NzYtMUUxOS00QjAwLTlEQUYtQ0VCQ0JBRjJBMjVBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjM0RDBDQUQtQjJDNS00MUM3LUJGMEQtMTgzOEI1MTgwNkZCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU4OTYyMzAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.64:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\README.md

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\README.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkYxRDQ1QkYtMjFDNS00NUI2LUFGODItQUI1MEQ3NzcyNDZDfSIgdXNlcmlkPSJ7NkUzM0I3REQtNUY3OS00NEUyLUE3M0UtQTI2RThDQ0IyQUFCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkEzMzk2QzItNUMyNi00RkM5LTk4NjctRDYzNEE1MkYzNjgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NjkzMzEwNzIxIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDY4MDM2RjEtOUMwNy00RUI2LTgwMzMtNjk5REZBN0YzQzU1fSIgdXNlcmlkPSJ7ODhERUE3MTUtMjNCMS00RjVFLTlFMDItNTQwNzhCREQxRTYzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTBDMERCRDktRDMyOC00RDIwLTk4OTAtNkUyOTEzNjgwNzZEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTA4NTU4MzYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.21:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

150s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDY2QTA0MzctQkM3MS00NzE3LTk0MTUtQ0JEMEM0NjRDOEM1fSIgdXNlcmlkPSJ7QjRBRkVCNkUtQjc0QS00OTkyLTk4NEEtQkFCN0YyMjA0QkY1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUIzQzVBNTYtNTNBQS00OUJBLUFERTItNTZFNUFDQjBCMzY3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjkxNjYwNTE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.180:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

97s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk5QkNDQTMtQ0ZCQS00MkVGLTg3OEQtNUMyNzU2M0NDNUQzfSIgdXNlcmlkPSJ7Nzg4NDA5M0MtMDU2QS00NTA2LUIyNDYtRUNGMThBQTEyQUZCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkIzNzc5ODktQzA0Ri00MzU1LUE0Q0UtNjYyRjVGRTEwQTRCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDE5OTc2NTg0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.67:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.180:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

96s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzlFMTAzNjQtNjkwMC00MTYwLThEOEYtOUJENUM3MzIyMjZFfSIgdXNlcmlkPSJ7NzJDRDg2RTMtMEQ0NC00NTEyLTlDNzMtQzEzOTI2MkI1NEEwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDRFMjAyQjAtNEY2QS00NUI5LTk0RTMtMzM1Q0M5RkEwNzI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTcxOTQ4NDcyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.170:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.180:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

99s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.editorconfig

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.editorconfig

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEYxOTdEMjMtMEFDMi00Q0IzLUE0MEQtMDU2RjQwQTVCQjUyfSIgdXNlcmlkPSJ7N0NCODFGNDktRkNFQy00OUY2LTkwQ0UtMUNEQUZDQ0U5NTNEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjRFMTRBQjMtOUU3Mi00MDZGLTg2OUMtODFCMEU2RkJCMzhFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTkwMDE4NjU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.43:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250207-en

Max time kernel

97s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUI2RjE3MjctM0IwQy00MkM3LTg4NUItNUEyQzU1RTQ3NkM2fSIgdXNlcmlkPSJ7M0E4NDlDMEMtNTk2RS00OTlELUIwRDAtQUQ1RjlDQkRDMTA3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUUwODRGOEMtQjkyMy00OTgwLUI3QjQtRUExMUE0MzY2MzhFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDMxMTQ2MTE4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.56:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDQwNUFDMjAtREI4NC00NTcwLUJDNjQtMUFBODc5OTYzMjNEfSIgdXNlcmlkPSJ7RUFBMzc5MTUtOUNDNS00MzZELTg5ODQtMkVFRjgwMDg3RDkyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODJENkRCNDItOUU4Mi00RTZDLUJDRTQtM0Y1RjM5QTUwMEVCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDkyNTQ4NDA1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 52.252.28.242:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.85:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

95s

Max time network

151s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\banner.png"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\banner.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjNGNUQ5RTUtRUMxOS00RkE3LUI1RTMtMTRFMkMxNzNGQTQ5fSIgdXNlcmlkPSJ7Q0I5Njc4ODItM0Y0My00MjA5LThERUUtNDJCMDFEM0VGOEE5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDU0MDk4QjUtMUI0Mi00MzRFLUEyMkMtNkI0QTVEMTYxNjg5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODI2NTMwOTE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.72:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

120s

Max time network

149s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\bu0.png"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\bu0.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjdDMzU5MjItNkNEMy00NkFBLUIwQkUtOUJGQzNCNzZGODdFfSIgdXNlcmlkPSJ7NkZCMURDQ0MtQjNENi00MTQzLUJCQjItODQzQ0JDQkU2M0JFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUZBN0QxQTgtMjI4MS00MUJBLUFFOTQtNDYyOTA1Q0REMzAxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODgwMDk1ODgxIi8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em0.png"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pa.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wdag.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-BR.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\az.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ta.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files\msedge_installer.log C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\d3dcompiler_47.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneauth.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\km.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\th.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\icudtl.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kok.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\am.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wns_push_client.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho_64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\tt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\show_third_party_software_licenses.bat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Staging C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\LICENSE C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ar.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mspdf.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\Logo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bn-IN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Stable.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Social C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mspdf.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\it.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\cookie_exporter.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\pt-PT.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\SETUP.EX_ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\da.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\zh-TW.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\id.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\onramp.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "0" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\EBWebView\\x64\\EmbeddedBrowserWebView.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xhtml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\wwahost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 1188 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 796 wrote to memory of 1188 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 1188 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 1188 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 1188 wrote to memory of 4672 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 1188 wrote to memory of 4672 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 4672 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 4672 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
PID 1188 wrote to memory of 2708 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1188 wrote to memory of 2708 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1188 wrote to memory of 3472 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1188 wrote to memory of 3472 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1188 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1188 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3472 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3472 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2708 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2708 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1736 wrote to memory of 3348 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1736 wrote to memory of 3348 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em0.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Rjk5MzlGQzctNzE3Qi00NTVELUI2RjMtNjI2REZFNDJGQzA5fSIgdXNlcmlkPSJ7MDg5NTQ2MEEtQ0M3Qy00MjQ5LUE1N0UtODIzMkVBQzM4NDhEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTFBQ0FERUMtQUZFNC00OTA0LTkxQjctOTkyRTEyRjIyMUFEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzg1ODg1NTYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff660c96a68,0x7ff660c96a74,0x7ff660c96a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff660c96a68,0x7ff660c96a74,0x7ff660c96a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ad126a68,0x7ff6ad126a74,0x7ff6ad126a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ad126a68,0x7ff6ad126a74,0x7ff6ad126a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ad126a68,0x7ff6ad126a74,0x7ff6ad126a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe

"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
GB 2.18.66.73:443 www.bing.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.86:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 www.office.com udp
US 13.107.6.156:443 www.office.com tcp
US 8.8.8.8:53 res.cdn.office.net udp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 96.17.179.201:443 res.cdn.office.net tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp

Files

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Program Files\msedge_installer.log

MD5 5075bd88d1e8fafcc1a3bd58a1cebb61
SHA1 d55b0741a939c513d1579ab44f6eae7c843d46a5
SHA256 c43ab80a356adea3d84b22916e84da98b6a12dd48d021e751601d59a0228eed6
SHA512 143a5cfcdd351a5db0626878d52d32752bcf52cca1308ba20632ff6768fb82d830f59cfb0ba64daab513016d076f58066fd0cb020f6850fe1bb41c46730eca14

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 9ad201e8cad1de49d233fef8f333ebe2
SHA1 e17eb6ed30d901312c3a449c35e3594be21c5e09
SHA256 21b9e19fe379e3e1277327121cad12dc198ffb9585020f5f83501e1b811a4bfa
SHA512 c01dec97f393fc959184041fa7894b6581ec37ee00c96281e492da3bc174e55e73976065503191d13e214d5e1de4d572744c39d1b358c7ee2571b204045bbddb

C:\Program Files\msedge_installer.log

MD5 fe495fcec0996678d61b74cd8be0a45e
SHA1 9590fc09c5617aab9068a080fb641a00c3680ad3
SHA256 dfec407fd5f7ddb6a97e96eb57df41aa221c180ff8c3bb72502d4e4902940b9e
SHA512 ca9652584b20e1daa6b854ee7e242fc03df8e4bf697d2138ec1a49100605c897e83c815f9aa0a9c5ff4d673227589a681429240c73181dd3f962c576cbcae749

C:\Program Files\msedge_installer.log

MD5 f132e2cd904fb62a9f285c0a04bb0c5c
SHA1 786eda7454d4f9becd59b7ffe155f04ad10a992b
SHA256 61777d3848dd49cb9b5bf4e93b9d832000e33dd3cd0c1a02e19056ddd3f2183a
SHA512 732d36594142fb3ffed348274cd5e473b9e61fe531d080e7d725bcd5f2b7663a6817786bcda4a0f19e567b402ff959d8c28231b2812029ca3f36d198a7a2407b

memory/1124-71-0x00000255AE7A0000-0x00000255AE7AE000-memory.dmp

memory/1124-72-0x00000255C8CB0000-0x00000255C8CBA000-memory.dmp

memory/1124-73-0x00000255C8CE0000-0x00000255C8CE8000-memory.dmp

memory/1124-74-0x00000255CA000000-0x00000255CA249000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-12 23:00

Reported

2025-02-12 23:04

Platform

win10v2004-20250211-en

Max time kernel

93s

Max time network

151s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em1.png"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em1.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDIzOUQ5RTUtQzZDMi00QUM0LTlDODEtRjFGN0JBREFDRjhCfSIgdXNlcmlkPSJ7QjQ1NjdDRUEtRjRCQS00Q0JBLUE5NzQtQUNGMkVERDI0QzNCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0YyMjVEMDAtOThCRS00MEQyLUE4QzUtNkZBMjgzMjVCMEE2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzY2NDM4MDY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

N/A