Malware Analysis Report

2024-12-07 14:34

Sample ID 241005-p39yyaxhqb
Target spoof.zip
SHA256 59e3791f2e7196a6bafebeee9d7b41d2a93f543bc96d16f44e98a9d237e3b121
Tags
discovery defense_evasion evasion exploit persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59e3791f2e7196a6bafebeee9d7b41d2a93f543bc96d16f44e98a9d237e3b121

Threat Level: Known bad

The file spoof.zip was found to be: Known bad.

Malicious Activity Summary

discovery defense_evasion evasion exploit persistence ransomware trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Modify Registry: Disable Windows Driver Blocklist

Modifies file permissions

Power Settings

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Modifies data under HKEY_USERS

Runs net.exe

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 12:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.exe

"C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

102s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\AMI\amigendrv64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\AMI\amigendrv64.sys

C:\Users\Admin\AppData\Local\Temp\AMI\amigendrv64.sys

C:\Users\Admin\AppData\Local\Temp\AMI\amigendrv64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

100s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AMI\spoof.bat"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE
PID 1844 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AMI\spoof.bat"

C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE

AMIDEWINx64.exe /SU AUTO

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:52

Platform

win10v2004-20240802-en

Max time kernel

0s

Max time network

2s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84DF.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84F0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84DF.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84F0.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84F1.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84F1.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\segwindrv.inf_amd64_27984eece3494299\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d} C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 984 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 1432 wrote to memory of 984 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe

"C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a270e740-55ce-1f4c-8c65-2eee63cc25cd}\segwindrv.inf" "9" "49f798bf3" "0000000000000140" "WinSta0\Default" "00000000000000F8" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\INSYDESEG\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca1156c0ee7a:Insyde_Device64:6.1.7600.16385:{416c2604-443b-436f-9e1d-607bdc3cc785}\segwindrv," "49f798bf3" "0000000000000140"

Network

Files

C:\Users\Admin\AppData\Local\Temp\{a270e740-55ce-1f4c-8c65-2eee63cc25cd}\segwindrv.inf

MD5 843fb7475608ce359da7cbd48fa3ab1d
SHA1 ae16643aa1756b34391e4c615958343ecb17b153
SHA256 e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7
SHA512 9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

C:\Users\Admin\AppData\Local\Temp\{A270E~1\segwindrvx64.sys

MD5 e46dfe45c1714f4920d3fd2546f2f630
SHA1 28cdb0b48c1d88d71421ec9e40ce52836ab79956
SHA256 b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6
SHA512 97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

C:\Windows\System32\DriverStore\Temp\{9c000c01-44e6-7d48-a075-4ba67927805d}\SET84F0.tmp

MD5 43d3603cf918445cbd1d7253b49bf527
SHA1 fabfaee55f2c4e6ca508d735b297bdb738ab1c7d
SHA256 e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5
SHA512 183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

Network

N/A

Files

memory/2300-0-0x0000000000010000-0x000000000002A000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\VHD\0.25000001.bat"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\System32\vds.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\vds.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 2500 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 2500 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\control.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\control.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\control.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\VHD\0.25000001.bat"

C:\Windows\system32\diskpart.exe

diskpart /s 1.txt

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\control.exe

control /name Microsoft.StorageSpaces

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.exe

"C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\SET8171.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\SET3870.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\SET6901.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\SET3AB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\SET3870.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\SET386F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\SET3A9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\SET5092.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\SET3AA.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\SET6902.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\SET1FE2.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\SET6901.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\SET8171.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\SET386F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\SET5090.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\SET6902.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\SET1FE0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\SET1FE2.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\SET385F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\SET8170.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\SET3A9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\SET3AB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\SET1FE1.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\SET5091.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\SET816F.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\SET1FE1.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\SET8170.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\SET5090.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\SET6900.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\SET1FE0.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\SET816F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\SET3AA.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\SET385F.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\SET5091.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\SET5092.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\SET6900.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1284 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1488 wrote to memory of 1284 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1488 wrote to memory of 1284 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2780 wrote to memory of 2156 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1340 wrote to memory of 1076 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1340 wrote to memory of 1076 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1340 wrote to memory of 1076 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 3028 wrote to memory of 2176 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 3028 wrote to memory of 2176 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 3028 wrote to memory of 2176 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2516 wrote to memory of 2600 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2516 wrote to memory of 2600 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2516 wrote to memory of 2600 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2716 wrote to memory of 2380 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2716 wrote to memory of 2380 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2716 wrote to memory of 2380 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe

"C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{19dbbed8-d0f8-7da4-3e37-a907a17a2477}\segwindrv.inf" "9" "69f798bf3" "00000000000004CC" "WinSta0\Default" "00000000000005B0" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{4aabc05a-9438-5315-ce7d-403abf5bd671} Global\{73901f3e-04f9-6f0f-a05f-1a049c32797e} C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{3fec7965-6a3e-2495-7a6d-c03862b5cc14}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000004CC" "00000000000003C8" "00000000000005E0"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{d82bc447-517e-4b17-8e72-4b936088a674} "(null)"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{71cd4547-c113-23d8-9add-7437c160552f}\segwindrv.inf" "9" "69f798bf3" "00000000000005E0" "WinSta0\Default" "00000000000005E4" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{01ed4432-e0ef-0610-1668-f34cd1c2ef23} Global\{486de2bf-6816-4cf3-34a7-cc6ae95bdb3e} C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{25e07a39-c096-640f-7d17-b62c4af75169}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000005E0" "00000000000005EC" "00000000000005F4"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{30b9dcc3-eb9a-6854-ba3b-ac4fff9fce3f}\segwindrv.inf" "9" "69f798bf3" "00000000000003C8" "WinSta0\Default" "0000000000000608" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{05683fb8-05e7-384c-7d1b-677fc0d4ec29} Global\{7736da26-a8e9-57f0-7cac-a26673488948} C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{187e90e2-fe81-0c7a-b01a-5a1f8bde955b}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000003C8" "00000000000005EC" "0000000000000614"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{648a223b-0fbb-6940-c284-63582f2ede48}\segwindrv.inf" "9" "69f798bf3" "00000000000003C8" "WinSta0\Default" "00000000000005E0" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{79c71a67-d42d-41ac-1215-e43fc8178070} Global\{70002474-3bb9-54e5-ea1d-3f37fa846a3a} C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{77205b37-dfce-4eac-6633-1e6a7c31c17c}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000003C8" "00000000000005EC" "00000000000005E8"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4ab54054-56d9-78b2-0818-9823e700a22f}\segwindrv.inf" "9" "69f798bf3" "0000000000000610" "WinSta0\Default" "0000000000000060" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{079088ef-4e79-0fc2-fd48-9b7832976e16} Global\{64b22937-5337-3a1e-1546-7f5128b94405} C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{33c6c45c-c45c-33c6-3717-376a6f58c732}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "0000000000000610" "00000000000005EC" "0000000000000628"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{77f4ade9-ce91-768b-2de4-71436aa6c548}\segwindrv.inf" "9" "69f798bf3" "0000000000000610" "WinSta0\Default" "00000000000003C8" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{54de1e6b-1348-73b8-0d5f-ef5b7ad5fa5a} Global\{68ab4ec7-d00a-1039-633d-746001e79869} C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{46886333-e0a8-66a8-6efc-f31ac967fb4f}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "0000000000000610" "0000000000000628" "00000000000005E8"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\Cab2FF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar312.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\{19dbbed8-d0f8-7da4-3e37-a907a17a2477}\segwindrv.cat

MD5 43d3603cf918445cbd1d7253b49bf527
SHA1 fabfaee55f2c4e6ca508d735b297bdb738ab1c7d
SHA256 e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5
SHA512 183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

C:\Users\Admin\AppData\Local\Temp\{19dbbed8-d0f8-7da4-3e37-a907a17a2477}\segwindrv.inf

MD5 843fb7475608ce359da7cbd48fa3ab1d
SHA1 ae16643aa1756b34391e4c615958343ecb17b153
SHA256 e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7
SHA512 9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

C:\Users\Admin\AppData\Local\Temp\{19DBB~1\segwindrvx64.sys

MD5 e46dfe45c1714f4920d3fd2546f2f630
SHA1 28cdb0b48c1d88d71421ec9e40ce52836ab79956
SHA256 b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6
SHA512 97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

C:\Windows\Temp\Cab3DA.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar3DD.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Users\Admin\AppData\Local\Temp\DMI5092.tmp.log.xml

MD5 bc442f24da0be4374788e744844a2ca9
SHA1 1be31d603336b6271599010e7a44a682153663e3
SHA256 dac0135a3c2dbfd5c7cb702b7cb0c3a4d886f66c10b8f0d22d63c12d2cd61119
SHA512 b6ee799f149e295fe4e0f4c9e67eb536bfd5a1e0efe94aee4a78ea682085fa058349e4f635c3b8c9df29cc0f2e3298b5e2f85010809e93be4f19f470a80c1359

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

136s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get manufacturer, product, serialnumber

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get manufacturer, releasedate, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get name, uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

C:\Users\Admin\AppData\Local\Temp\Insyde\segwindrvx64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/380-0-0x0000000000010000-0x000000000002A000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Insyde\spoof.bat"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\SET925.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\SETECD0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\SET21C4.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\SET935.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\SET21C4.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\SET21B4.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\SETECD1.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\SET935.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\SET6A86.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\SET6A87.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\SETECD1.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\SET925.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\SET5208.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\SET3A04.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\SET5207.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\SET936.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\SET3A05.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\SET3A05.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\SET5208.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\SET6A88.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\SETECB0.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\SETECD0.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\SET21C5.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\SET3A06.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\SET5206.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\SET936.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\SET6A88.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\SETECB0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\SET21B4.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\SET21C5.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\SET3A06.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\SET6A87.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\SET3A04.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\SET5207.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\SET5206.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\SET6A86.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
PID 2672 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
PID 2672 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
PID 1332 wrote to memory of 1528 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1332 wrote to memory of 1528 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1332 wrote to memory of 1528 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1840 wrote to memory of 2304 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1840 wrote to memory of 2304 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1840 wrote to memory of 2304 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2024 wrote to memory of 1776 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2024 wrote to memory of 1776 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2024 wrote to memory of 1776 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1968 wrote to memory of 2624 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1968 wrote to memory of 2624 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1968 wrote to memory of 2624 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1668 wrote to memory of 2932 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1668 wrote to memory of 2932 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1668 wrote to memory of 2932 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2584 wrote to memory of 2648 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2584 wrote to memory of 2648 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 2584 wrote to memory of 2648 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Insyde\spoof.bat"

C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe

H2OSDE-Wx64.exe -SU AUTO

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{04e39ec4-f418-3014-cac0-63184573c978}\segwindrv.inf" "9" "69f798bf3" "00000000000003B8" "WinSta0\Default" "00000000000003A4" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{488f4ab5-00a4-4c20-42b1-810362e0713f} Global\{5eb6c7d4-95e7-6913-9e81-38000e581d2c} C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{491b44eb-16b6-43ba-6dcd-1866ffbeec65}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000003B8" "00000000000005D8" "00000000000005DC"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{76e04809-f94b-4570-a433-cbade1bc9bcb} "(null)"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{78c97345-fe00-2fb0-7b5b-a712e4b97f5f}\segwindrv.inf" "9" "69f798bf3" "00000000000005EC" "WinSta0\Default" "00000000000005DC" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{39a6a132-905b-64c3-859c-ee20844e033b} Global\{7bfa1c39-8320-469a-e419-bd3087b80754} C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{59c58fac-9698-104c-1df9-3b02406a9e3e}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000005EC" "00000000000005F0" "00000000000005F8"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2ad5a19c-a4fe-1aa3-b063-b13be7930606}\segwindrv.inf" "9" "69f798bf3" "00000000000005E8" "WinSta0\Default" "00000000000005EC" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{336a8254-8fb5-7095-68fb-1621de0ac807} Global\{0d5ea164-0d34-526d-b961-ed5d5f981f4c} C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{3e7c4a3f-2c42-36c8-2702-291f6adf6a75}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000005E8" "00000000000005F0" "000000000000060C"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{41e5093e-a29a-3c21-8240-e259b408eb51}\segwindrv.inf" "9" "69f798bf3" "0000000000000604" "WinSta0\Default" "00000000000005F8" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{6a6c3f8e-1130-367b-5a01-78621bd14329} Global\{31c8b87f-0d41-0b32-245e-8d73fc435137} C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{0defb2b0-aa90-39d4-53e9-aa4c13399c5c}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "0000000000000604" "000000000000060C" "00000000000005FC"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{33698cbf-04c3-462d-81e8-f55edca44340}\segwindrv.inf" "9" "69f798bf3" "00000000000005E8" "WinSta0\Default" "00000000000005D8" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{7ce7225e-b5c4-401f-174e-230476e56d3f} Global\{29e4c827-7711-0bc5-f237-c57dab3a7f55} C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{15be73fa-2893-61c6-f024-241638c8be2e}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000005E8" "00000000000005FC" "000000000000060C"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6228d7ff-3174-64f3-75c6-5838d5b7ce4d}\segwindrv.inf" "9" "69f798bf3" "00000000000004BC" "WinSta0\Default" "0000000000000608" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{2ec356e6-3306-44e7-98ef-a8151b6f6745} Global\{7d5496fc-937d-0971-0092-82735ba17227} C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{24df4e30-9a47-1873-f754-a51332795863}\segwindrv.cat

C:\Windows\system32\DrvInst.exe

DrvInst.exe "3" "201" "ROOT\INSYDESEG\0000" "" "" "69f798bf3" "00000000000004BC" "000000000000060C" "0000000000000604"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\CabEBF6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEC09.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\{04e39ec4-f418-3014-cac0-63184573c978}\segwindrv.cat

MD5 43d3603cf918445cbd1d7253b49bf527
SHA1 fabfaee55f2c4e6ca508d735b297bdb738ab1c7d
SHA256 e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5
SHA512 183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

C:\Users\Admin\AppData\Local\Temp\{04e39ec4-f418-3014-cac0-63184573c978}\segwindrv.inf

MD5 843fb7475608ce359da7cbd48fa3ab1d
SHA1 ae16643aa1756b34391e4c615958343ecb17b153
SHA256 e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7
SHA512 9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

C:\Users\Admin\AppData\Local\Temp\{04E39~1\segwindrvx64.sys

MD5 e46dfe45c1714f4920d3fd2546f2f630
SHA1 28cdb0b48c1d88d71421ec9e40ce52836ab79956
SHA256 b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6
SHA512 97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

C:\Windows\Temp\CabED4E.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\TarED7F.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Users\Admin\AppData\Local\Temp\DMI39D7.tmp.log.xml

MD5 bc442f24da0be4374788e744844a2ca9
SHA1 1be31d603336b6271599010e7a44a682153663e3
SHA256 dac0135a3c2dbfd5c7cb702b7cb0c3a4d886f66c10b8f0d22d63c12d2cd61119
SHA512 b6ee799f149e295fe4e0f4c9e67eb536bfd5a1e0efe94aee4a78ea682085fa058349e4f635c3b8c9df29cc0f2e3298b5e2f85010809e93be4f19f470a80c1359

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:52

Platform

win10v2004-20240802-en

Max time kernel

0s

Max time network

2s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Insyde\spoof.bat"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\SET615C.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\segwindrv.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\SET614A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\segwindrvx64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\SET615B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\segwindrv.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\SET615C.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\SET614A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{26101007-1897-5b46-80cc-be814692155b}\SET615B.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
PID 4472 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe
PID 4248 wrote to memory of 3444 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4248 wrote to memory of 3444 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Insyde\spoof.bat"

C:\Users\Admin\AppData\Local\Temp\Insyde\H2OSDE-Wx64.exe

H2OSDE-Wx64.exe -SU AUTO

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7c8139ba-11a1-fc45-9eb6-417083eb8e49}\segwindrv.inf" "9" "49f798bf3" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\local\temp\insyde"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\INSYDESEG\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca1156c0ee7a:Insyde_Device64:6.1.7600.16385:{416c2604-443b-436f-9e1d-607bdc3cc785}\segwindrv," "49f798bf3" "0000000000000148"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{7c8139ba-11a1-fc45-9eb6-417083eb8e49}\segwindrv.inf

MD5 843fb7475608ce359da7cbd48fa3ab1d
SHA1 ae16643aa1756b34391e4c615958343ecb17b153
SHA256 e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7
SHA512 9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

C:\Users\Admin\AppData\Local\Temp\{7C813~1\segwindrvx64.sys

MD5 e46dfe45c1714f4920d3fd2546f2f630
SHA1 28cdb0b48c1d88d71421ec9e40ce52836ab79956
SHA256 b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6
SHA512 97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

C:\Users\Admin\AppData\Local\Temp\{7C813~1\segwindrv.cat

MD5 43d3603cf918445cbd1d7253b49bf527
SHA1 fabfaee55f2c4e6ca508d735b297bdb738ab1c7d
SHA256 e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5
SHA512 183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\system32\reg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modify Registry: Disable Windows Driver Blocklist

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" C:\Windows\system32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallPaper C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2312 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2312 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2312 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2312 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2312 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2312 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2312 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2312 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2312 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2312 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2312 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2312 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"

C:\Windows\system32\bcdedit.exe

bcdedit /set bootuxdisabled yes

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot on

C:\Windows\system32\bcdedit.exe

bcdedit /timeout 0

C:\Windows\system32\powercfg.exe

powercfg h off

C:\Windows\system32\reg.exe

reg import 1.reg

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\dbgeng.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\dbgeng.dll /grant Administrators:D

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\AMI\spoof.bat"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE
PID 2980 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE
PID 2980 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\AMI\spoof.bat"

C:\Users\Admin\AppData\Local\Temp\AMI\AMIDEWINx64.EXE

AMIDEWINx64.exe /SU AUTO

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

94s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VHD\0.25000001.bat"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_MSFT&PROD_VIRTUAL_DISK\2&1F4ADFFE&0&000003 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\ConfigFlags C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\control.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\vds.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\vds.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\vds.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 1132 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 1132 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\control.exe
PID 1132 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\control.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VHD\0.25000001.bat"

C:\Windows\system32\diskpart.exe

diskpart /s 1.txt

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\control.exe

control /name Microsoft.StorageSpaces

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\check.bat"

Signatures

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2788 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2788 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2864 wrote to memory of 2536 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2864 wrote to memory of 2536 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2864 wrote to memory of 2536 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2788 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2788 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\check.bat"

C:\Windows\system32\net.exe

net stop winmgmt /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get manufacturer, product, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get manufacturer, releasedate, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get name, uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-05 12:52

Reported

2024-10-05 12:55

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

98s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\system32\reg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modify Registry: Disable Windows Driver Blocklist

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" C:\Windows\system32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallPaper C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"

C:\Windows\system32\bcdedit.exe

bcdedit /set bootuxdisabled yes

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot on

C:\Windows\system32\bcdedit.exe

bcdedit /timeout 0

C:\Windows\system32\powercfg.exe

powercfg h off

C:\Windows\system32\reg.exe

reg import 1.reg

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\dbgeng.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\dbgeng.dll /grant Administrators:D

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A