chaos | 4a9d86eabf96dac50beb78e33e188427520c08670053f6599bf374f523906592

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2025 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
Size

26KB
MD5

c97fb12a2cf0c4fc6c0e38451987725f
SHA1

cf78f883f0661d221d2a0351888200ccf7985181
SHA256

4a9d86eabf96dac50beb78e33e188427520c08670053f6599bf374f523906592
SHA512

e7560496328a7a0638b7fceb34b4772ce47b4b314d2c3bedf4775ec961e12ee8f267a6f0429ad20afe51ead8f45329d5f78c7c9f2f604a7b4300c2fd966acf24
SSDEEP

384:9YenjLLA70loMPQ9Ce2OVp91Rk+b5dxDGi:M70lPYSc93k+bTxDN

Score

10^/10

chaos adware discovery persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4956-0-0x00000000008E0000-0x00000000008EC000-memory.dmp	family_chaos

Chaos family
chaos

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	2272	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.url	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
4328	setup.exe
3420	setup.exe
2008	setup.exe
4460	setup.exe
3516	setup.exe
3184	setup.exe
212	setup.exe
652	setup.exe
980	setup.exe
720	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3311063739-2594902809-44604183-1000\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ce407725-5d86-48e0-bcf5-4a71bb046676.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\PdfPreview\PdfPreviewHandler.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2008_13384275981990123_2008.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wdag.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\webview2_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\bg.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\mspdf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wdag.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\fr.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wns_push_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\133.0.3065.69.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\fr-CA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\gd.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EdgeWebView.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3516_13384275985393259_3516.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ug.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ug.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevated_tracing_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\ffmpeg.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ne.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2224	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\MuiCache	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\ = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\EBWebView\\x64\\EmbeddedBrowserWebView.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,11"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2576	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
3516	setup.exe
3516	setup.exe
1828	LocalBridge.exe
1828	LocalBridge.exe
1828	LocalBridge.exe
1828	LocalBridge.exe
1828	LocalBridge.exe
1828	LocalBridge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
Token: 33	4328	setup.exe
Token: SeIncBasePriorityPrivilege	4328	setup.exe
Token: SeDebugPrivilege	2716	wwahost.exe
Token: SeDebugPrivilege	2716	wwahost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	wwahost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2576	4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe	94
PID 4956 wrote to memory of 2576	4956	2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe	94
PID 2000 wrote to memory of 4328	2000	MicrosoftEdge_X64_133.0.3065.69.exe	111
PID 2000 wrote to memory of 4328	2000	MicrosoftEdge_X64_133.0.3065.69.exe	111
PID 4328 wrote to memory of 3420	4328	setup.exe	112
PID 4328 wrote to memory of 3420	4328	setup.exe	112
PID 4328 wrote to memory of 2008	4328	setup.exe	115
PID 4328 wrote to memory of 2008	4328	setup.exe	115
PID 2008 wrote to memory of 4460	2008	setup.exe	116
PID 2008 wrote to memory of 4460	2008	setup.exe	116
PID 4328 wrote to memory of 3516	4328	setup.exe	117
PID 4328 wrote to memory of 3516	4328	setup.exe	117
PID 4328 wrote to memory of 3184	4328	setup.exe	118
PID 4328 wrote to memory of 3184	4328	setup.exe	118
PID 4328 wrote to memory of 212	4328	setup.exe	119
PID 4328 wrote to memory of 212	4328	setup.exe	119
PID 3184 wrote to memory of 652	3184	setup.exe	120
PID 3184 wrote to memory of 652	3184	setup.exe	120
PID 3516 wrote to memory of 980	3516	setup.exe	121
PID 3516 wrote to memory of 980	3516	setup.exe	121
PID 212 wrote to memory of 720	212	setup.exe	122
PID 212 wrote to memory of 720	212	setup.exe	122

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-17_c97fb12a2cf0c4fc6c0e38451987725f_chaos_destroyer_wannacry.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2576

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDRDMUZFMEItRUYxOS00NkE0LUIwQjktMzlGRjZBQTI4NEMwfSIgdXNlcmlkPSJ7MjE5REE0MTItRjc4RS00OTVDLTk0MjgtNTVEMTZFMzRGRTAwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Mjk1QzAxNUEtRkQ0Ni00MTlGLTg2QTctNjlDNTNGQjNEREJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODA2MjI2OTIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2224

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4328
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbea6a68,0x7ff7cbea6a74,0x7ff7cbea6a80
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7cbea6a68,0x7ff7cbea6a74,0x7ff7cbea6a80
      4⤵
      Executes dropped EXE
      PID:4460
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff648b66a68,0x7ff648b66a74,0x7ff648b66a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:980
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff648b66a68,0x7ff648b66a74,0x7ff648b66a80
      4⤵
      Executes dropped EXE
      PID:652
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff648b66a68,0x7ff648b66a74,0x7ff648b66a80
      4⤵
      Executes dropped EXE
      PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:3732

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0FA5D7FD-5D83-4613-A6B2-DECFC6289D12}\EDGEMITMP_30E3A.tmp\setup.exe

Filesize
6.8MB

MD5
bdb1aecedc15fc82a63083452dad45c2

SHA1
a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

SHA256
4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

SHA512
50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
4aaa893417cccc147989f876c6a7b295

SHA1
b1e35c83518bb275924ead0cd6206bf0c982d30f

SHA256
2c38e3c3f18e2d3fb7f04336356b9b5186cabe06b3343beec318ef0def1a9eeb

SHA512
109e0c88977fae65a4950fc38393ca32a70d68ef41aeb75b28e6566e0fa626e32e31be38308e7ed5b6a8ba1f56fb5f2133a07aa8bb643224c3dbb089ce9cfd0e

Download Submit
C:\Program Files\msedge_installer.log

Filesize
73KB

MD5
1cd9b954b795cf7d63dcfb514fbe18f2

SHA1
41d641ae872d47e5e0c7d9f58bb0091104299319

SHA256
54e07fbe557c5e75645935faaabca352c5253c5936539535f1b8247915672bd2

SHA512
6562169a1a00190cd417f54892ecf1b8517c44572bf790c1ff0d98396e08f86bda6159d6b420255d49cd499363630e9b9293e6ca3c76dc48fdb7e7854df87593

Download Submit
C:\Program Files\msedge_installer.log

Filesize
102KB

MD5
0320433d4092a530ed5611d679891bf9

SHA1
4e47d276a1f456d6246c0c5d332fb0bb8e787b40

SHA256
fae1e5c334ae65a9711befdc42d20425c143d74ccc10cf6f4e6ae0d8d94325fb

SHA512
95437d65e5a6cf7f6ce6a9fdc29b181378f91896577f8aedb45047f2c189a74d226ad0287ba99c4c8faac012395b150daa841bd9aae0482dc2d365c18df58b1e

Download Submit
C:\Program Files\msedge_installer.log

Filesize
104KB

MD5
2ed3fa58639c349d14654958f6418d06

SHA1
7573aebb98e761d018565c1802aae1aa53c59ab5

SHA256
977e68371964cad59198a1ba0202e7c2088525ab300e2f77678e902a77dd5971

SHA512
67db28a632ae05dd5602b8178f03304369c79161419e650e2214c2ba3acc32a88467388fd7522fd5f8152d67ba0c7b5fe2462ba3dde93840f956bba505b25ba5

Download Submit
C:\Users\Admin\AppData\Local\read_it.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\AppData\Roaming\DisconnectMeasure.sql

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\All Users\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
403KB

MD5
f2cd4cc59ba8b525dea27ddd35a8ca53

SHA1
95d42a4109aed0ddc82271b561f25eda96ed36fc

SHA256
47c4884678fca048c3ac48fdd4e6dd10bf6df135393ffc823426aba897544427

SHA512
73ade62c10d8f760f53efe7af44805decc174c97782464d620a0daa5347733fde03caaef1dbc8a8c89d19e7ef7da102cef790178f58a88fd3fff5c433a9778f8

Download Submit
memory/1828-1348-0x0000027630310000-0x000002763031E000-memory.dmp

Filesize
56KB

Download
memory/1828-1349-0x00000276307C0000-0x00000276307CA000-memory.dmp

Filesize
40KB

Download
memory/1828-1350-0x00000276307F0000-0x00000276307F8000-memory.dmp

Filesize
32KB

Download
memory/1828-1351-0x000002764AC00000-0x000002764AE49000-memory.dmp

Filesize
2.3MB

Download
memory/4956-1138-0x00007FFBF04C3000-0x00007FFBF04C5000-memory.dmp

Filesize
8KB

Download
memory/4956-1277-0x00007FFBF04C0000-0x00007FFBF0F81000-memory.dmp

Filesize
10.8MB

Download
memory/4956-74-0x00007FFBF04C0000-0x00007FFBF0F81000-memory.dmp

Filesize
10.8MB

Download
memory/4956-1-0x00007FFBF04C3000-0x00007FFBF04C5000-memory.dmp

Filesize
8KB

Download
memory/4956-0-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download