b08a1a85e9e97b791ad7add1bc0a3b0565e530e7ba325048e09fadd08f959a72

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minecraft.exe
Size

5.4MB
MD5

0a84063caff845960e40bb166a214c06
SHA1

44a68f862c5b215d1b957ef6c69044a29df53bcc
SHA256

b08a1a85e9e97b791ad7add1bc0a3b0565e530e7ba325048e09fadd08f959a72
SHA512

6b4e1bbc7f7978c8d49b38804e12432c16039e72010999d741d648f6050acefa880f84164d866314365210df789fb7349b5f177426956ab167083838c556f679
SSDEEP

98304:Gn9rKIDTGpzoLLJ3TbwaVvrZE0IdWyoFQK15W8ASLmbNYJERw1jrTHcDPUG:Gn9eIm9onJ5hrZERWyiU8AdZYJERurTy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

minecraft.exe

pid	process
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe
4484	minecraft.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

minecraft.exe

description pid process

Token: SeDebugPrivilege 4484 minecraft.exe

description	pid	process
Token: SeDebugPrivilege	4484	minecraft.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

minecraft.exeminecraft.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4772 wrote to memory of 4484	4772	minecraft.exe	minecraft.exe
PID 4772 wrote to memory of 4484	4772	minecraft.exe	minecraft.exe
PID 4484 wrote to memory of 704	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 704	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4028	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4028	4484	minecraft.exe	cmd.exe
PID 704 wrote to memory of 2176	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 2176	704	cmd.exe	cmd.exe
PID 4028 wrote to memory of 1068	4028	cmd.exe	cmd.exe
PID 4028 wrote to memory of 1068	4028	cmd.exe	cmd.exe
PID 4484 wrote to memory of 1148	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 1148	4484	minecraft.exe	cmd.exe
PID 1148 wrote to memory of 4776	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 4776	1148	cmd.exe	cmd.exe
PID 4484 wrote to memory of 4204	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4204	4484	minecraft.exe	cmd.exe
PID 4204 wrote to memory of 5024	4204	cmd.exe	cmd.exe
PID 4204 wrote to memory of 5024	4204	cmd.exe	cmd.exe
PID 4484 wrote to memory of 540	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 540	4484	minecraft.exe	cmd.exe
PID 540 wrote to memory of 4284	540	cmd.exe	cmd.exe
PID 540 wrote to memory of 4284	540	cmd.exe	cmd.exe
PID 4484 wrote to memory of 4880	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4880	4484	minecraft.exe	cmd.exe
PID 4880 wrote to memory of 836	4880	cmd.exe	cmd.exe
PID 4880 wrote to memory of 836	4880	cmd.exe	cmd.exe
PID 4484 wrote to memory of 3408	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 3408	4484	minecraft.exe	cmd.exe
PID 3408 wrote to memory of 1244	3408	cmd.exe	cmd.exe
PID 3408 wrote to memory of 1244	3408	cmd.exe	cmd.exe
PID 4484 wrote to memory of 3828	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 3828	4484	minecraft.exe	cmd.exe
PID 3828 wrote to memory of 840	3828	cmd.exe	cmd.exe
PID 3828 wrote to memory of 840	3828	cmd.exe	cmd.exe
PID 4484 wrote to memory of 3928	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 3928	4484	minecraft.exe	cmd.exe
PID 3928 wrote to memory of 384	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 384	3928	cmd.exe	cmd.exe
PID 4484 wrote to memory of 4176	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4176	4484	minecraft.exe	cmd.exe
PID 4176 wrote to memory of 5108	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 5108	4176	cmd.exe	cmd.exe
PID 4484 wrote to memory of 1760	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 1760	4484	minecraft.exe	cmd.exe
PID 1760 wrote to memory of 312	1760	cmd.exe	cmd.exe
PID 1760 wrote to memory of 312	1760	cmd.exe	cmd.exe
PID 4484 wrote to memory of 4280	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4280	4484	minecraft.exe	cmd.exe
PID 4280 wrote to memory of 5064	4280	cmd.exe	cmd.exe
PID 4280 wrote to memory of 5064	4280	cmd.exe	cmd.exe
PID 4484 wrote to memory of 1640	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 1640	4484	minecraft.exe	cmd.exe
PID 1640 wrote to memory of 2828	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 2828	1640	cmd.exe	cmd.exe
PID 4484 wrote to memory of 4660	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4660	4484	minecraft.exe	cmd.exe
PID 4660 wrote to memory of 1784	4660	cmd.exe	cmd.exe
PID 4660 wrote to memory of 1784	4660	cmd.exe	cmd.exe
PID 4484 wrote to memory of 3308	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 3308	4484	minecraft.exe	cmd.exe
PID 3308 wrote to memory of 4268	3308	cmd.exe	cmd.exe
PID 3308 wrote to memory of 4268	3308	cmd.exe	cmd.exe
PID 4484 wrote to memory of 4440	4484	minecraft.exe	cmd.exe
PID 4484 wrote to memory of 4440	4484	minecraft.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4440

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3824

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3312

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3408

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:460

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3504

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1900

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2304

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1640

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4440

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3464

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:668

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5132

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5208

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5336

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5460

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5676

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5780

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5860

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5940

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6020

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6096

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5172

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5000

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5132

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5208

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5688

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5320

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5864

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5968

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1044

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5164

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4344

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5660

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5300

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5192

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3980

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5688

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6056

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3132

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6060

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2360

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5360

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:964

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6008

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4500

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1004

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2756

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4496

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1688

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5236

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5964

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6068

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5204

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2256

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3688

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4384

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5144

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1840

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5904

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4180

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3900

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5516

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5568

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3444

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5844

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6056

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4060

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2364

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5340

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1016

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3144

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5676

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4236

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2124

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5684

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5892

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2360

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5756

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4200

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5052

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3184

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5652

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1904

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3960

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3256

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1924

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4304

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5520

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3492

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5616

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5992

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2484

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4296

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3988

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:772

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4828

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6204

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6292

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6368

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6444

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6524

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6600

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6676

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6752

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6828

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6904

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6980

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:7068

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:7084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:7144

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6240

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4896

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6476

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6444

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6764

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5160

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6992

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:7072

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5020

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:840

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:5448

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2000

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:4284

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:7156

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6396

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:1644

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6084

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:2192

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:3672

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:840

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:6188

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:7188

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:7204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start cmd"
3⤵
PID:7264

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:7280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI47722\VCRUNTIME140.dll
Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\_bz2.pyd
Filesize
83KB

MD5
6c7565c1efffe44cb0616f5b34faa628

SHA1
88dd24807da6b6918945201c74467ca75e155b99

SHA256
fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a

SHA512
822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\_ctypes.pyd
Filesize
122KB

MD5
29da9b022c16da461392795951ce32d9

SHA1
0e514a8f88395b50e797d481cbbed2b4ae490c19

SHA256
3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372

SHA512
5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\_decimal.pyd
Filesize
264KB

MD5
ce4df4dfe65ab8dc7ae6fcdebae46112

SHA1
cdbbfda68030394ac90f6d6249d6dd57c81bc747

SHA256
ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96

SHA512
fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\_hashlib.pyd
Filesize
63KB

MD5
f377a418addeeb02f223f45f6f168fe6

SHA1
5d8d42dec5d08111e020614600bbf45091c06c0b

SHA256
9551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac

SHA512
6f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\_lzma.pyd
Filesize
157KB

MD5
b5355dd319fb3c122bb7bf4598ad7570

SHA1
d7688576eceadc584388a179eed3155716c26ef5

SHA256
b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5

SHA512
0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\_socket.pyd
Filesize
77KB

MD5
f5dd9c5922a362321978c197d3713046

SHA1
4fbc2d3e15f8bb21ecc1bf492f451475204426cd

SHA256
4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626

SHA512
ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\base_library.zip
Filesize
822KB

MD5
d3a47ef5b669b3ab59aa27a54b015d24

SHA1
d646309640b93ce05d268a00104d8a6ee6ee4463

SHA256
b89ba73c7ce7a7800237401b351b047996f3c975f9e6ed401864f5481acf644f

SHA512
09095fc7042a77f0c35f6a79d2c180b2660b613a82697a29662e39db80b3ed442c0433f915d17a271aba2f4f5c39615af2bac274de7095dd907413414d630dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\libcrypto-1_1.dll
Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\psutil\_psutil_windows.pyd
Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\python3.DLL
Filesize
57KB

MD5
3c88de1ebd52e9fcb46dc44d8a123579

SHA1
7d48519d2a19cac871277d9b63a3ea094fbbb3d9

SHA256
2b22b6d576118c5ae98f13b75b4ace47ab0c1f4cd3ff098c6aee23a8a99b9a8c

SHA512
1e55c9f7ac5acf3f7262fa2f3c509ee0875520bb05d65cd68b90671ac70e8c99bce99433b02055c07825285004d4c5915744f17eccfac9b25e0f7cd1bee9e6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\python39.dll
Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\select.pyd
Filesize
26KB

MD5
7a442bbcc4b7aa02c762321f39487ba9

SHA1
0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83

SHA256
1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad

SHA512
3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\unicodedata.pyd
Filesize
1.1MB

MD5
8320c54418d77eba5d4553a5d6ec27f9

SHA1
e5123cf166229aebb076b469459856a56fb16d7f

SHA256
7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae

SHA512
b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34

Download Submit