Windows Analysis Report
minecraft.exe

Overview

General Information

Sample name: minecraft.exe
Analysis ID: 1544867
MD5: 09718d571b01cb93e6f983be7b99a4b2
SHA1: d2d1212212bfc691e115b24e8132ae4658e510e8
SHA256: 6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169
Tags: exeuser-MDMCk10
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Recursive Takeown
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: minecraft.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: minecraft.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.6% probability
Machine Learning detection for sample
Source: minecraft.exe Joe Sandbox ML: detected
Source: Binary string: AcroExch.PDBookmark9o source: reg.exe, 0000001F.00000003.1511553346.000001B6128F4000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\Temp\5B39.tmp Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp\5B3B.tmp Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014000B64C NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW, 0_2_000000014000B64C
Deletes files inside the Windows folder
Source: C:\Windows\System32\cmd.exe File deleted: C:\Windows\System32\drivers\DriverData Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_00000001400138E5 0_2_00000001400138E5
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_00000001400154F0 0_2_00000001400154F0
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_0000000140015160 0_2_0000000140015160
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_0000000140015170 0_2_0000000140015170
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_0000000140013175 0_2_0000000140013175
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_0000000140010210 0_2_0000000140010210
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_0000000140016210 0_2_0000000140016210
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014000EA48 0_2_000000014000EA48
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014001366E 0_2_000000014001366E
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014000B758 0_2_000000014000B758
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_0000000140012FDD 0_2_0000000140012FDD
Sample file is different than original file name gathered from version info
Source: minecraft.exe, 00000000.00000003.1704537164.000000000057C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs minecraft.exe
Source: minecraft.exe, 00000000.00000002.1704888816.000000000057D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs minecraft.exe
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f
Source: reg.exe, 0000001F.00000003.1511553346.000001B6128F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .vbproj
Source: classification engine Classification label: mal64.winEXE@59/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\Desktop\minecraft.exe File created: C:\Users\user\AppData\Local\Temp\5B39.tmp Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp\5B3B.bat C:\Users\user\Desktop\minecraft.exe"
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "taskmgr.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "regedit.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lsass.exe")
Source: C:\Users\user\Desktop\minecraft.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: minecraft.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\minecraft.exe "C:\Users\user\Desktop\minecraft.exe"
Source: C:\Users\user\Desktop\minecraft.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp\5B3B.bat C:\Users\user\Desktop\minecraft.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im taskmgr.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im regedit.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\drivers /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\shutdown.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\shutdown.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im lsass.exe
Source: unknown Process created: C:\Windows\System32\wlrmdr.exe -s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f
Source: C:\Users\user\Desktop\minecraft.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp\5B3B.bat C:\Users\user\Desktop\minecraft.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C: Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im taskmgr.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im regedit.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\drivers /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\shutdown.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\shutdown.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im lsass.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: dui70.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: duser.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: uianimation.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: dxcore.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: dcomp.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wlrmdr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\minecraft.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: minecraft.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Binary string: AcroExch.PDBookmark9o source: reg.exe, 0000001F.00000003.1511553346.000001B6128F4000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 0_2_000000014000D9C4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014001BD3E push rbx; ret 0_2_000000014001BD3F
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Uses cacls to modify the permissions of files
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t
Source: C:\Users\user\Desktop\minecraft.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlrmdr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlrmdr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wlrmdr.exe Process information set: NOOPENFILEERRORBOX
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\icacls.exe File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\regedit.exe Jump to behavior
Source: C:\Windows\System32\icacls.exe File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\ Jump to behavior
Source: C:\Windows\System32\icacls.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys
Source: C:\Windows\System32\takeown.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys\ Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\minecraft.exe Window / User API: threadDelayed 1111 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\minecraft.exe TID: 7800 Thread sleep count: 1111 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\Temp\5B39.tmp Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp\5B3B.tmp Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\minecraft.exe File opened: C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp Jump to behavior
Source: reg.exe, 0000001F.00000003.1637357696.000001B612938000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: icacls.exe, 0000001A.00000002.1368697338.0000020B3AB68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ss.svmci.syswfplwfs.sys|
Source: reg.exe, 0000001F.00000002.1703813992.000001B6130E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: reg.exe, 0000001F.00000003.1637702977.000001B6129B3000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1637552222.000001B6129B3000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1650293185.000001B6129B3000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1650180786.000001B6129B3000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1653919411.000001B6129B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860I
Source: reg.exe, 0000001F.00000003.1619667936.000001B612AE9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1619739375.000001B612AE9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1619450996.000001B612AE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_none_e952b570e43ce35d]
Source: reg.exe, 0000001F.00000003.1618715337.000001B613195000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_none_40a51070cee1599dJ
Source: reg.exe, 0000001F.00000003.1642699891.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1702491171.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000002.1703470418.000001B6128F2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1645615414.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: reg.exe, 0000001F.00000003.1637357696.000001B612938000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: reg.exe, 0000001F.00000003.1650726939.000001B61293F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1653872870.000001B612937000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1654592459.000001B61293F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1649920740.000001B612937000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1653675330.000001B61293F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot<
Source: reg.exe, 0000001F.00000003.1653675330.000001B612937000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cessor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec50
Source: reg.exe, 0000001F.00000003.1642699891.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1702491171.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000002.1703470418.000001B6128F2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1645615414.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: reg.exe, 0000001F.00000003.1650726939.000001B61293F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1653872870.000001B612937000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1654592459.000001B61293F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time483
Source: reg.exe, 0000001F.00000003.1642699891.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1702491171.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000002.1703470418.000001B6128F2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1645615414.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisorL
Source: reg.exe, 0000001F.00000003.1629317924.000001B61292F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Pro
Source: reg.exe, 0000001F.00000003.1642699891.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1702491171.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000002.1703470418.000001B6128F2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1645615414.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V dkytrhgcwserdbb Bus
Source: reg.exe, 0000001F.00000002.1703813992.000001B6130E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid PartitionZl
Source: reg.exe, 0000001F.00000003.1653803745.000001B612989000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1650028322.000001B612989000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost8
Source: reg.exe, 0000001F.00000003.1642699891.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1702491171.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000002.1703470418.000001B6128F2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1645615414.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processorh
Source: reg.exe, 0000001F.00000003.1642699891.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1702491171.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000002.1703470418.000001B6128F2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1645615414.000001B6128F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V dkytrhgcwserdbb Bus Pipes
Source: reg.exe, 0000001F.00000003.1637874283.000001B61293B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: icacls.exe, 0000001A.00000003.1363981605.0000020B3AB77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmci.sys`
Source: reg.exe, 0000001F.00000003.1632040995.000001B61297B000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1632636687.000001B612966000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1632839017.000001B61296A000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1632877087.000001B612979000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partitionys
Source: reg.exe, 0000001F.00000003.1649920740.000001B612937000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001F.00000003.1653675330.000001B61293F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: C:\Windows\System32\wlrmdr.exe Process information queried: ProcessInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 0_2_000000014000D9C4
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\minecraft.exe Code function: 0_2_000000014000C4D0 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler, 0_2_000000014000C4D0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\minecraft.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B39.tmp\5B3A.tmp\5B3B.bat C:\Users\user\Desktop\minecraft.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C: Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im taskmgr.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im regedit.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\drivers /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\shutdown.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\shutdown.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im lsass.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im taskmgr.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im regedit.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im lsass.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wlrmdr.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\wlrmdr.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Windows\System32\wlrmdr.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544867 Sample: minecraft.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 64 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 27 AI detected suspicious sample 2->27 7 minecraft.exe 8 2->7         started        9 wlrmdr.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 icacls.exe 1 11->13         started        15 takeown.exe 1 11->15         started        17 taskkill.exe 1 11->17         started        19 25 other processes 11->19
No contacted IP infos