Analysis Overview
SHA256
795174a48bb492a185ebab88bde39c8ff8b193c3729602a5a8f9425baec7ea1b
Threat Level: Known bad
The file empyrean-grabber.zip was found to be: Known bad.
Malicious Activity Summary
Detects Empyrean stealer
Empyrean family
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Modifies registry class
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-12 23:00
Signatures
Detects Empyrean stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Empyrean family
Analysis: behavioral6
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
98s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\LICENSE.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzVBNDQ3NkYtNDUyNi00NjA5LTgxNTgtOTQ5QzhDMzhDMDcwfSIgdXNlcmlkPSJ7OTAzNUIyREItQjBEMS00NDY5LThFMjktMjhBNEQ0OUM1Q0NGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUI1NEJGMkEtOEU0QS00RUJGLTk2OUYtNjkyQUQ4NjBCRjA4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDI3MTc2MDY4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.66.170:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
93s
Max time network
153s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\makeenv.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDI3NDY1RkMtQzE5MC00MjY2LTg0RkQtNUIyNURCN0FDQTIzfSIgdXNlcmlkPSJ7ODRGM0JCQ0ItQjFDQS00NkU1LTgyNkYtQjJFQzc0QjY5ODRBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7REE2RjAxQTYtRDY3NC00OUZFLTkzRjMtQUI2MUJFRDJEQzg1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTA3MzgyMDU3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.120:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
98s
Max time network
133s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em2.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM5RTIwMDYtMTQ1NC00MjcyLTk2RTItQzQyOEY1MzE2ODY3fSIgdXNlcmlkPSJ7OThFNzBBODctRkVFQi00RkQ3LUEzNkYtQTY1MkY2RUMwMDAwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkM1MTFDOUYtQjlFMi00N0EwLTgxMzEtOTU2MUJDNTEyQTBCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjI3MjcwNDYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 104.86.110.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.130.134:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
92s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em3.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjE2Mjc3MUItMzUyMC00Nzk2LThDRTEtMzNEMTQ5QUMyQzY1fSIgdXNlcmlkPSJ7OTVCOUI1OUYtRjlDNS00RDZFLUI3QjItMkY3ODE0QkY2MkFBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUUwNkE3NjYtOTgxQi00MDY4LUE3OTctRTBFMUE0RkMzQUE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzI0MTk2MDg5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.130.133:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
95s
Max time network
135s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\footer.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODlBOTMxQkQtRTc1MS00MUE2LUEyNTYtMzM4MjJDMUNFNTIwfSIgdXNlcmlkPSJ7ODYzOTFFOTgtQzA1Qi00NkMyLUJCNUItQzlERjE5MDk4NzlGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTJBOUMyMDgtMDI5Qi00RTJELTgxMzMtN0FDMTIzQzZCMjZBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzg1MjkxNDM3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| GB | 2.18.66.179:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\antidebug.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjJCMzJGMzYtMkEwRC00QTdCLTk3MjYtMkQ4RTA5OEEzN0E1fSIgdXNlcmlkPSJ7ODFBNjI3RUYtMDk4Qi00RTAzLTg5MEEtMjRDMEQ5QTUyMDAwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODQ4MENFQTctQjQzOS00ODFGLUE1RDYtM0ZEMjNDQTM5NzIyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU4NzgwNzc1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.85:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.github\ISSUE_TEMPLATE\feature_request.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTdEOUQ5MDctNkM3Mi00RTlGLUIxQkMtQTZGMTREQTM3NTVCfSIgdXNlcmlkPSJ7MUY4MTM2NDgtRENEMi00M0ZGLUIxQTMtQTYyRDVGQjZGNDY2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjhFNDlCNEUtNkUyNS00QkFBLTkwRjktNjcyNDk4OEUwNDhEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDExMTkzNTQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.gitignore
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUEwRjY3MzQtN0MwQS00MDgwLUI3NzUtRDExMjhFOTI3M0MwfSIgdXNlcmlkPSJ7Qjg4NkIwM0ItMzVFOS00OEZDLUIyQTgtQUU0NDgwOUExNEJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDA4RDFDRDgtMzVFNi00QTM5LUE5OTYtQkE1NkIxNUUwRkRBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzYwODA3NjQ5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\build.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUZCNzkzRTctM0YzMS00Q0M4LUJBMDYtMjIwM0U3NUFCMTJEfSIgdXNlcmlkPSJ7NERCMzJDNjMtNzQ2My00REZCLTg2QkYtNERBMTM4MUE3RkJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTFBOUE5MEEtNzM3Mi00MDg0LUEwODUtMUJEOTJBQzUxQTY5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQ1MDY2MzE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.66.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.129.182:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
95s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\main.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzEzRTY1MDgtNTMxMC00NTBFLUI1NEMtQjExQjYxRjU1QkM2fSIgdXNlcmlkPSJ7ODk2MkJBRDItNzIwQy00MThGLUFBRjAtRTE4MTYxQzU5RTcwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDJCMTMzNEEtNDgwRS00NzJDLTk4RTUtQkYwNjMwQjYwRjc1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTc0MjE0MjUzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 104.86.110.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| IT | 91.80.49.85:80 | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\injection.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0E4REM3QzMtNTFERS00QTU5LUIyNTItQTU3RDIxOEVGNkM4fSIgdXNlcmlkPSJ7MEFGNjEyMzktQjYwQi00RjcxLUI4QkQtRUVCQzcwMTIwOEJFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTNDQzg5QzAtQUVBRS00OTA1LUE4RDUtOUYxQzZBMjNGNzlCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTk2ODY5NzAxOCIvPjwvYXBwPjwvcmVxdWVzdD4
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.170:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.151.228.221:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
120s
Max time network
140s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\config.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjM1OEJGNkMtQzZDMi00N0IxLTg0QTAtRTJCMEYwOTBGNEYyfSIgdXNlcmlkPSJ7MEY4ODQ1QUUtMkUyQy00MEFDLTg2NTMtQ0MwMjFDNkVGQUM2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUU0RjJCOTgtMzNCOC00QUNDLTlCNkMtOUU2QkE0NUZGMkJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTIxNTEzNzQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.129.180:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\main.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEZBMTQ5M0EtN0ZBOS00ODE0LUJGRjAtMEU4NUVFQzU0RDM2fSIgdXNlcmlkPSJ7RDIzODRCQkEtOEI5My00QjJBLUFFRTktNkIwOTBCOEQ5RDA0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjU3RDdEQkQtNTNDRC00MzhELUJEODctQ0M1QjkxMTE1NzJCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTY3NjA4MDQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\empyrean-grabber.zip
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjY3MkI0MTQtOTI4My00RjEzLUExQzItMDZBNENBRjlFMzA5fSIgdXNlcmlkPSJ7N0YzMUVFMzAtRkMzNS00QjM1LTlENzItOUUwNzRCMTdEMEE2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTRBOTI3NDYtRjgwQi00QjA1LTk3QTQtQzJBMzVEM0Y3OUQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDY2NDU0NjkyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\empyrean-grabber\build.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
102s
Max time network
123s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.github\ISSUE_TEMPLATE\bug_report.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkU4M0M4MjgtNzY5QS00OUZELTkwNkItOERCNzYyQTYwMTg5fSIgdXNlcmlkPSJ7QUU0QkM3NzYtMUUxOS00QjAwLTlEQUYtQ0VCQ0JBRjJBMjVBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjM0RDBDQUQtQjJDNS00MUM3LUJGMEQtMTgzOEI1MTgwNkZCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU4OTYyMzAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.66.64:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\README.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkYxRDQ1QkYtMjFDNS00NUI2LUFGODItQUI1MEQ3NzcyNDZDfSIgdXNlcmlkPSJ7NkUzM0I3REQtNUY3OS00NEUyLUE3M0UtQTI2RThDQ0IyQUFCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkEzMzk2QzItNUMyNi00RkM5LTk4NjctRDYzNEE1MkYzNjgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NjkzMzEwNzIxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\config.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDY4MDM2RjEtOUMwNy00RUI2LTgwMzMtNjk5REZBN0YzQzU1fSIgdXNlcmlkPSJ7ODhERUE3MTUtMjNCMS00RjVFLTlFMDItNTQwNzhCREQxRTYzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTBDMERCRDktRDMyOC00RDIwLTk4OTAtNkUyOTEzNjgwNzZEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTA4NTU4MzYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.21:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\writeconfig.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDY2QTA0MzctQkM3MS00NzE3LTk0MTUtQ0JEMEM0NjRDOEM1fSIgdXNlcmlkPSJ7QjRBRkVCNkUtQjc0QS00OTkyLTk4NEEtQkFCN0YyMjA0QkY1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUIzQzVBNTYtNTNBQS00OUJBLUFERTItNTZFNUFDQjBCMzY3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjkxNjYwNTE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.129.180:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
97s
Max time network
152s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\startup.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk5QkNDQTMtQ0ZCQS00MkVGLTg3OEQtNUMyNzU2M0NDNUQzfSIgdXNlcmlkPSJ7Nzg4NDA5M0MtMDU2QS00NTA2LUIyNDYtRUNGMThBQTEyQUZCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkIzNzc5ODktQzA0Ri00MzU1LUE0Q0UtNjYyRjVGRTEwQTRCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDE5OTc2NTg0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.66.67:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.129.180:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
96s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\src\components\systeminfo.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzlFMTAzNjQtNjkwMC00MTYwLThEOEYtOUJENUM3MzIyMjZFfSIgdXNlcmlkPSJ7NzJDRDg2RTMtMEQ0NC00NTEyLTlDNzMtQzEzOTI2MkI1NEEwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDRFMjAyQjAtNEY2QS00NUI5LTk0RTMtMzM1Q0M5RkEwNzI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTcxOTQ4NDcyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.66.170:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.129.180:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
99s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\.editorconfig
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEYxOTdEMjMtMEFDMi00Q0IzLUE0MEQtMDU2RjQwQTVCQjUyfSIgdXNlcmlkPSJ7N0NCODFGNDktRkNFQy00OUY2LTkwQ0UtMUNEQUZDQ0U5NTNEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjRFMTRBQjMtOUU3Mi00MDZGLTg2OUMtODFCMEU2RkJCMzhFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTkwMDE4NjU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.66.43:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250207-en
Max time kernel
97s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\build.bat"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUI2RjE3MjctM0IwQy00MkM3LTg4NUItNUEyQzU1RTQ3NkM2fSIgdXNlcmlkPSJ7M0E4NDlDMEMtNTk2RS00OTlELUIwRDAtQUQ1RjlDQkRDMTA3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUUwODRGOEMtQjkyMy00OTgwLUI3QjQtRUExMUE0MzY2MzhFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDMxMTQ2MTE4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.66.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.151.228.221:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\builder\util\obfuscate.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDQwNUFDMjAtREI4NC00NTcwLUJDNjQtMUFBODc5OTYzMjNEfSIgdXNlcmlkPSJ7RUFBMzc5MTUtOUNDNS00MzZELTg5ODQtMkVFRjgwMDg3RDkyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODJENkRCNDItOUU4Mi00RTZDLUJDRTQtM0Y1RjM5QTUwMEVCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDkyNTQ4NDA1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.85:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
95s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\banner.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjNGNUQ5RTUtRUMxOS00RkE3LUI1RTMtMTRFMkMxNzNGQTQ5fSIgdXNlcmlkPSJ7Q0I5Njc4ODItM0Y0My00MjA5LThERUUtNDJCMDFEM0VGOEE5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDU0MDk4QjUtMUI0Mi00MzRFLUEyMkMtNkI0QTVEMTYxNjg5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODI2NTMwOTE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.66.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
120s
Max time network
149s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\bu0.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjdDMzU5MjItNkNEMy00NkFBLUIwQkUtOUJGQzNCNzZGODdFfSIgdXNlcmlkPSJ7NkZCMURDQ0MtQjNENi00MTQzLUJCQjItODQzQ0JDQkU2M0JFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUZBN0QxQTgtMjI4MS00MUJBLUFFOTQtNDYyOTA1Q0REMzAxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODgwMDk1ODgxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.151.228.221:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "0" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AppID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\EBWebView\\x64\\EmbeddedBrowserWebView.dll" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe\"" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xhtml | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xml | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wwahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wwahost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\wwahost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em0.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Rjk5MzlGQzctNzE3Qi00NTVELUI2RjMtNjI2REZFNDJGQzA5fSIgdXNlcmlkPSJ7MDg5NTQ2MEEtQ0M3Qy00MjQ5LUE1N0UtODIzMkVBQzM4NDhEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTFBQ0FERUMtQUZFNC00OTA0LTkxQjctOTkyRTEyRjIyMUFEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzg1ODg1NTYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff660c96a68,0x7ff660c96a74,0x7ff660c96a80
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff660c96a68,0x7ff660c96a74,0x7ff660c96a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ad126a68,0x7ff6ad126a74,0x7ff6ad126a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ad126a68,0x7ff6ad126a74,0x7ff6ad126a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ad126a68,0x7ff6ad126a74,0x7ff6ad126a80
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| GB | 2.18.66.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.80.49.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.office.com | udp |
| US | 13.107.6.156:443 | www.office.com | tcp |
| US | 8.8.8.8:53 | res.cdn.office.net | udp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 96.17.179.201:443 | res.cdn.office.net | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
Files
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D250C3F4-339F-4F4A-A977-DAB81688A8B5}\EDGEMITMP_36145.tmp\setup.exe
| MD5 | 1b3e9c59f9c7a134ec630ada1eb76a39 |
| SHA1 | a7e831d392e99f3d37847dcc561dd2e017065439 |
| SHA256 | ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae |
| SHA512 | c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e |
C:\Program Files\msedge_installer.log
| MD5 | 5075bd88d1e8fafcc1a3bd58a1cebb61 |
| SHA1 | d55b0741a939c513d1579ab44f6eae7c843d46a5 |
| SHA256 | c43ab80a356adea3d84b22916e84da98b6a12dd48d021e751601d59a0228eed6 |
| SHA512 | 143a5cfcdd351a5db0626878d52d32752bcf52cca1308ba20632ff6768fb82d830f59cfb0ba64daab513016d076f58066fd0cb020f6850fe1bb41c46730eca14 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | ad5f7dc7ca3e67dce70c0a89c04519e0 |
| SHA1 | a10b03234627ca8f3f8034cd5637cda1b8246d83 |
| SHA256 | 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31 |
| SHA512 | ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51 |
C:\Program Files\msedge_installer.log
| MD5 | 9ad201e8cad1de49d233fef8f333ebe2 |
| SHA1 | e17eb6ed30d901312c3a449c35e3594be21c5e09 |
| SHA256 | 21b9e19fe379e3e1277327121cad12dc198ffb9585020f5f83501e1b811a4bfa |
| SHA512 | c01dec97f393fc959184041fa7894b6581ec37ee00c96281e492da3bc174e55e73976065503191d13e214d5e1de4d572744c39d1b358c7ee2571b204045bbddb |
C:\Program Files\msedge_installer.log
| MD5 | fe495fcec0996678d61b74cd8be0a45e |
| SHA1 | 9590fc09c5617aab9068a080fb641a00c3680ad3 |
| SHA256 | dfec407fd5f7ddb6a97e96eb57df41aa221c180ff8c3bb72502d4e4902940b9e |
| SHA512 | ca9652584b20e1daa6b854ee7e242fc03df8e4bf697d2138ec1a49100605c897e83c815f9aa0a9c5ff4d673227589a681429240c73181dd3f962c576cbcae749 |
C:\Program Files\msedge_installer.log
| MD5 | f132e2cd904fb62a9f285c0a04bb0c5c |
| SHA1 | 786eda7454d4f9becd59b7ffe155f04ad10a992b |
| SHA256 | 61777d3848dd49cb9b5bf4e93b9d832000e33dd3cd0c1a02e19056ddd3f2183a |
| SHA512 | 732d36594142fb3ffed348274cd5e473b9e61fe531d080e7d725bcd5f2b7663a6817786bcda4a0f19e567b402ff959d8c28231b2812029ca3f36d198a7a2407b |
memory/1124-71-0x00000255AE7A0000-0x00000255AE7AE000-memory.dmp
memory/1124-72-0x00000255C8CB0000-0x00000255C8CBA000-memory.dmp
memory/1124-73-0x00000255C8CE0000-0x00000255C8CE8000-memory.dmp
memory/1124-74-0x00000255CA000000-0x00000255CA249000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-02-12 23:00
Reported
2025-02-12 23:04
Platform
win10v2004-20250211-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Processes
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber\img\em1.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDIzOUQ5RTUtQzZDMi00QUM0LTlDODEtRjFGN0JBREFDRjhCfSIgdXNlcmlkPSJ7QjQ1NjdDRUEtRjRCQS00Q0JBLUE5NzQtQUNGMkVERDI0QzNCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0YyMjVEMDAtOThCRS00MEQyLUE4QzUtNkZBMjgzMjVCMEE2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzY2NDM4MDY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |