hxxps://cdn[.]discordapp[.]com/attachments/1132620500321968160/1217225513211527288/spoof_2[.]zip?ex=66dacdd9&is=66d97c59&hm=5600609ff9d9c6f995402846c4076ff82970ef50aca1abf2227e639599374bb1&

Resubmissions

05/09/2024, 14:49

240905-r7bcaatepg 10

05/09/2024, 14:48

240905-r6wltsshkp 5

Analysis

max time kernel
101s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/09/2024, 14:49

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1132620500321968160/1217225513211527288/spoof_2.zip?ex=66dacdd9&is=66d97c59&hm=5600609ff9d9c6f995402846c4076ff82970ef50aca1abf2227e639599374bb1&

Score

10^/10

defense_evasion discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2944	bcdedit.exe
2132	bcdedit.exe
2760	bcdedit.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETEE82.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETEE82.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETEE82.tmp\:Zone.Identifier:$DATA	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\segwindrvx64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\segwindrvx64.sys	DrvInst.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	reg.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2008	takeown.exe
4724	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2008	takeown.exe
4724	icacls.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4560	powercfg.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\segwindrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\segwindrv.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETECFB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETECFB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETECFB.tmp\:Zone.Identifier:$DATA	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0D.tmp\:Zone.Identifier:$DATA	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrvx64.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File created	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File created	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0C.tmp\:Zone.Identifier:$DATA	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299	DrvInst.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\segwindrvx64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrvx64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.PNF	H2OSDE-Wx64.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.cat	DrvInst.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\WallPaper	reg.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.inf\:Zone.Identifier:$DATA	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	H2OSDE-Wx64.exe
File created	C:\Windows\INF\oem2.PNF	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\inf\oem3.pnf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	H2OSDE-Wx64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	H2OSDE-Wx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	H2OSDE-Wx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	H2OSDE-Wx64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\{46a14c5d-1155-bb48-a5eb-346084cf0a7c}\SETEC90.tmp\:Zone.Identifier:$DATA	H2OSDE-Wx64.exe
File created	C:\Windows\INF\oem3.inf\:Zone.Identifier:$DATA	DrvInst.exe
File opened for modification	C:\Users\Admin\Downloads\spoof_2.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\{46a14c5d-1155-bb48-a5eb-346084cf0a7c}\SETEC8E.tmp\:Zone.Identifier:$DATA	H2OSDE-Wx64.exe
File created	C:\Users\Admin\AppData\Local\Temp\{46a14c5d-1155-bb48-a5eb-346084cf0a7c}\SETEC8F.tmp\:Zone.Identifier:$DATA	H2OSDE-Wx64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2956	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
244	msedge.exe
244	msedge.exe
4492	msedge.exe
4492	msedge.exe
652	identity_helper.exe
652	identity_helper.exe
2696	msedge.exe
2696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe
Token: SeBackupPrivilege	5076	WMIC.exe
Token: SeRestorePrivilege	5076	WMIC.exe
Token: SeShutdownPrivilege	5076	WMIC.exe
Token: SeDebugPrivilege	5076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5076	WMIC.exe
Token: SeRemoteShutdownPrivilege	5076	WMIC.exe
Token: SeUndockPrivilege	5076	WMIC.exe
Token: SeManageVolumePrivilege	5076	WMIC.exe
Token: 33	5076	WMIC.exe
Token: 34	5076	WMIC.exe
Token: 35	5076	WMIC.exe
Token: 36	5076	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1508	svchost.exe
Token: SeIncreaseQuotaPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeTakeOwnershipPrivilege	1508	svchost.exe
Token: SeLoadDriverPrivilege	1508	svchost.exe
Token: SeSystemtimePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeShutdownPrivilege	1508	svchost.exe
Token: SeSystemEnvironmentPrivilege	1508	svchost.exe
Token: SeUndockPrivilege	1508	svchost.exe
Token: SeManageVolumePrivilege	1508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1508	svchost.exe
Token: SeIncreaseQuotaPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeTakeOwnershipPrivilege	1508	svchost.exe
Token: SeLoadDriverPrivilege	1508	svchost.exe
Token: SeSystemtimePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeShutdownPrivilege	1508	svchost.exe
Token: SeSystemEnvironmentPrivilege	1508	svchost.exe
Token: SeUndockPrivilege	1508	svchost.exe
Token: SeManageVolumePrivilege	1508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1508	svchost.exe
Token: SeIncreaseQuotaPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeTakeOwnershipPrivilege	1508	svchost.exe
Token: SeLoadDriverPrivilege	1508	svchost.exe
Token: SeSystemtimePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeShutdownPrivilege	1508	svchost.exe
Token: SeSystemEnvironmentPrivilege	1508	svchost.exe
Token: SeUndockPrivilege	1508	svchost.exe
Token: SeManageVolumePrivilege	1508	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1508	svchost.exe
Token: SeIncreaseQuotaPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeTakeOwnershipPrivilege	1508	svchost.exe
Token: SeLoadDriverPrivilege	1508	svchost.exe
Token: SeSystemtimePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1896	H2OSDE-Wx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 1376	244	msedge.exe	79
PID 244 wrote to memory of 1376	244	msedge.exe	79
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 4656	244	msedge.exe	80
PID 244 wrote to memory of 3320	244	msedge.exe	81
PID 244 wrote to memory of 3320	244	msedge.exe	81
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82
PID 244 wrote to memory of 4948	244	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1132620500321968160/1217225513211527288/spoof_2.zip?ex=66dacdd9&is=66d97c59&hm=5600609ff9d9c6f995402846c4076ff82970ef50aca1abf2227e639599374bb1&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb12c13cb8,0x7ffb12c13cc8,0x7ffb12c13cd8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10479305493500267192,5369518554510527063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\spoof_2\check.bat" "
1⤵
PID:692
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  PID:3024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:1520
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get manufacturer, product, serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get manufacturer, releasedate, serialnumber
  2⤵
  PID:4644
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get name, uuid
  2⤵
  PID:412
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\spoof_2\VHD\1.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\spoof_2\tweaks\1.bat" "
1⤵
PID:3596
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootuxdisabled yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2944
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2132
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2760
- C:\Windows\system32\powercfg.exe
  powercfg h off
  2⤵
  - Power Settings
  PID:4560
- C:\Windows\system32\reg.exe
  reg import 1.reg
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Modify Registry: Disable Windows Driver Blocklist
  - Sets desktop wallpaper using registry
  PID:3812
- C:\Windows\system32\takeown.exe
  takeown /F C:\Windows\System32\dbgeng.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2008
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\System32\dbgeng.dll /grant Administrators:D
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\spoof_2\check.bat" "
1⤵
PID:4104
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  PID:236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:4668
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get manufacturer, product, serialnumber
  2⤵
  PID:4176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get manufacturer, releasedate, serialnumber
  2⤵
  PID:3068
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get name, uuid
  2⤵
  PID:3400
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\spoof_2\Insyde\spoof.bat" "
1⤵
PID:3128
- C:\Users\Admin\Downloads\spoof_2\Insyde\H2OSDE-Wx64.exe
  H2OSDE-Wx64.exe -SU AUTO
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - NTFS ADS
  PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4804
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{46a14c5d-1155-bb48-a5eb-346084cf0a7c}\segwindrv.inf" "9" "49f798bf3" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\downloads\spoof_2\insyde"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - NTFS ADS
  PID:3612
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\INSYDESEG\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca1156c0ee7a:Insyde_Device64:6.1.7600.16385:{416c2604-443b-436f-9e1d-607bdc3cc785}\segwindrv," "49f798bf3" "0000000000000164" "695"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1684
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.inf" "0" "48643ea57" "0000000000000188" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1952
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8b964c04-6646-3c4b-9cd1-38c5e30bf3c8}\segwindrv.inf" "9" "49f798bf3" "0000000000000160" "WinSta0\Default" "0000000000000164" "208" "c:\users\admin\downloads\spoof_2\insyde"
  2⤵
  PID:1968
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\INSYDESEG\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca1156c0ee7a:Insyde_Device64:6.1.7600.16385:{416c2604-443b-436f-9e1d-607bdc3cc785}\segwindrv," "49f798bf3" "00000000000000F0" "695"
  2⤵
  PID:3124

C:\Users\Admin\Downloads\spoof_2\Insyde\H2OSDE-Wx64.exe
"C:\Users\Admin\Downloads\spoof_2\Insyde\H2OSDE-Wx64.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0fd19af25c2136ff180621a82657035

SHA1
c77f4f08a194ea027c9b01a635757a16de6284e8

SHA256
c499bdbe8d836806cd21b53a330ffd25c0c6352cac476619bbb82832d57becfa

SHA512
35c8a975811f1e3a848e75fa021c41be2aaf144e7bacf5171b6ca8551386cfad07f40217d056a9b9393f1e79d40fcc5fbe6986a72adcb092a5f155df4ac37263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41adcadcd8ca9d602023b001c823fb4d

SHA1
73c0c6e37abdb3e3fecb30de2ba821a7e3e2726b

SHA256
ca8a895304902515ae265d6b9282ce3485f53c400bfcba0d0dd3d361595696fe

SHA512
e0dcbe052700ab0cd5ece5846e16d0cae07fa979a78c66df0730bb096f7e1a7eee7d179313167b96f740ecff24de014d45dca32c15dc04a6c246caf4236de921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ce75f7368b857194aa812924e6d9593b

SHA1
4a33483702faa8b9481885e5fa0976e1f6d41bbf

SHA256
0c3f2257e37cd6e1688fd39f5e315dbb8d7838b114d86cfaa513b78fdb893a99

SHA512
15450e27c9490f7305fa607513ef82fc088080bf711fcd66b74949a2e988fb42b101f8e81067f449b484dc06bf5741fe661221f4f23dc2c0d43eea314ad6a77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ebe39135f692a6007e253db97da8281

SHA1
eccaa480c3f5826f6f3a42a7e82ec61d8c1ec7d5

SHA256
6a56b5718b6b06456ba460cc9c8e409ecdbf656bde40ed9255822cd5bd03a800

SHA512
eb20650b49d5ce33a69cebc4671068bec0097bb53535721c9d0a108d38dbea2f93fc0ab3c322a24df710c04650b8c8a3766e038a658de911906949c4f62daa30

Download Submit
C:\Users\Admin\AppData\Local\Temp\{46A14~1\segwindrvx64.sys

Filesize
103KB

MD5
e46dfe45c1714f4920d3fd2546f2f630

SHA1
28cdb0b48c1d88d71421ec9e40ce52836ab79956

SHA256
b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6

SHA512
97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{46a14c5d-1155-bb48-a5eb-346084cf0a7c}\segwindrv.inf

Filesize
4KB

MD5
843fb7475608ce359da7cbd48fa3ab1d

SHA1
ae16643aa1756b34391e4c615958343ecb17b153

SHA256
e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7

SHA512
9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

Download Submit
C:\Users\Admin\Downloads\spoof_2.zip

Filesize
565KB

MD5
79aa575e7e2b033646f74f69e44c60d4

SHA1
6feff8cad2f9ae2b831343fa7bfcb408ffe23b92

SHA256
022e498fe973889e1c2ad0964f0a097a87feb14ceb314a5c19c7ff5d9c7ebb36

SHA512
732e1ae4488765d0a4b5919900c548272ce932d97743a1c8adca26d437c9c4e38a78b45c5ccf15acd51d0042f33c6d132e98a6dfd92132d3bc97ff58984de006

Download Submit
C:\Users\Admin\Downloads\spoof_2.zip:Zone.Identifier

Filesize
219B

MD5
5ad35ea4e263c9b546b01bd83b4a9875

SHA1
1ecd579daa6250f28e93dadf491a830439ad5deb

SHA256
bdfdfa45633df366e2a3e61069497be1738fd8b51eac308fdf46e1227314ceda

SHA512
7184d27e32e8111f42ed3b44de755db488c27823909dd0c3dcc30319b89b659f37791fb5e8bb0e9d91fe2210f277bb366eb4d6b277de53cc7dc79b1088623b11

Download Submit
C:\Users\Admin\Downloads\spoof_2\Insyde\sde.log

Filesize
41B

MD5
9cac67a832291beb1fba94960d45fbac

SHA1
a74d4010a0d549138845b25d99c83e93f2125982

SHA256
d10ccb06fa4726e32ad6f1f3b9df6abbb48d097b2ecfdb4b57379e694287c1c5

SHA512
c82899964b5a8a04b0fbc06b33440bfee890a8466a3734a24580c9a144e359999a7dd48bd9691a57e4f55381dc696045966802027c92499f65be7945789929e6

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
a6405c75a4131c29daa4341c3333efc5

SHA1
064f5201f3174d3e2a5671d649081ee2dd6a1919

SHA256
7c935871509a9defa97a408ebfdf02ad2d9394ae795666b04ad909e5f5bf0f41

SHA512
e4389daae2005ffc340081d98b81e452bac4ef9e606f0aa26cec08de1f67fb607769045a52d66d5f9a9fa99b8a6b72f918cc433460785c871b7bab9309e6e43f

Download Submit
C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0C.tmp

Filesize
10KB

MD5
43d3603cf918445cbd1d7253b49bf527

SHA1
fabfaee55f2c4e6ca508d735b297bdb738ab1c7d

SHA256
e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5

SHA512
183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

Download Submit
C:\Windows\System32\DriverStore\Temp\{be82b140-b45f-7f4d-bb61-dd6418b69932}\SETED0C.tmp:Zone.Identifier

Filesize
76B

MD5
c3d4c0b94ea63b8a580a9a27d0a900e7

SHA1
c1fb9038b58b7d5e6654750af78fb79ae726b76d

SHA256
f37a1afcf66f3dba80b3890a8d11b2525ccf2895128ad784c7a66d9412fa5547

SHA512
080466385762266ab594bcbb67274dd84faa33f9132b55b4581820c1f1de51f2a126e9bd1ef8d74df5a051dfd9242a2afc1c4946acdbd8ed1ee3e160c2173b9a

Download Submit
C:\Windows\system32\wbem\repository\MAPPING1.MAP

Filesize
76KB

MD5
890fccaa2e8076270d624645d9172d2f

SHA1
d5b197fa21dccc21c538577c689372d611c4620c

SHA256
cee877885c481197d99e263623f98b92f0043825783ca866b7572caeb3513aeb

SHA512
fced5ed4e8b687f38de056d7e14fc456e909d00d9aec1809a2cfc042bf0b6d60b924ce53c1fd6e297d5c9e375ad68c9fb27e9e6d73466204cc75e986db922b83

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads