Malware Analysis Report

2025-01-02 06:58

Sample ID 210329-5dqyz7yhp6
Target Minecraft_Dungeons_v1.0-v1.5.0.rar
SHA256 296d38386d3176443601f1494db4a8dbec3254d4a7625ca25233016b9387d6d6
Tags
r77 rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

296d38386d3176443601f1494db4a8dbec3254d4a7625ca25233016b9387d6d6

Threat Level: Known bad

The file Minecraft_Dungeons_v1.0-v1.5.0.rar was found to be: Known bad.

Malicious Activity Summary

r77 rootkit spyware stealer

r77

r77 rootkit payload

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-29 13:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-29 13:52

Reported

2021-03-29 13:55

Platform

win7v20201028

Max time kernel

83s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 1724 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 1724 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 1724 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 1724 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 1988 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1968 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1968 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1968 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1968 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1968 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1968 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1968 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1968 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1612 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1612 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1612 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1612 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1612 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1988 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\System32\cmd.exe
PID 1988 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\System32\cmd.exe
PID 1988 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\System32\cmd.exe
PID 1004 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1004 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1004 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1004 wrote to memory of 884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1004 wrote to memory of 884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1004 wrote to memory of 884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1004 wrote to memory of 1336 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1004 wrote to memory of 1336 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1004 wrote to memory of 1336 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpABDC.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

TaskKill /F /IM 1988

C:\Windows\system32\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 flingtrainer.com udp
N/A 104.21.35.160:443 flingtrainer.com tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.130.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 icanhazip.com udp
N/A 104.22.19.188:80 icanhazip.com tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 crl.microsoft.com udp
N/A 88.221.25.155:80 crl.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 104.99.234.13:80 www.microsoft.com tcp
N/A 8.8.8.8:53 crl.verisign.com udp
N/A 8.8.8.8:53 ocsp.verisign.com udp
N/A 23.51.123.27:80 ocsp.verisign.com tcp
N/A 104.22.19.188:80 icanhazip.com tcp
N/A 104.22.19.188:80 icanhazip.com tcp
N/A 8.8.8.8:53 usa.megumin.cloud udp
N/A 104.21.68.3:443 usa.megumin.cloud tcp

Files

memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

memory/1484-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

memory/1988-8-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\update.exe

MD5 ca0b14884c8aff3242f025f003190dcd
SHA1 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05
SHA256 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21
SHA512 e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 ca0b14884c8aff3242f025f003190dcd
SHA1 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05
SHA256 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21
SHA512 e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 ca0b14884c8aff3242f025f003190dcd
SHA1 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05
SHA256 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21
SHA512 e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47

memory/1988-11-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

memory/1484-6-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

memory/1484-13-0x0000000000240000-0x000000000026D000-memory.dmp

memory/1988-12-0x000000013F6B0000-0x000000013F6B1000-memory.dmp

memory/1988-16-0x0000000000750000-0x00000000007BF000-memory.dmp

memory/1988-17-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1484-18-0x000000001B0C2000-0x000000001B0C4000-memory.dmp

memory/1484-19-0x000000001B0C4000-0x000000001B0C6000-memory.dmp

memory/1484-20-0x000000001B0C6000-0x000000001B0C7000-memory.dmp

memory/1988-21-0x000000001B500000-0x000000001B502000-memory.dmp

memory/1484-22-0x000000001B0C7000-0x000000001B0C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

memory/1484-25-0x000000001B0EB000-0x000000001B0EC000-memory.dmp

memory/1484-24-0x000000001B0CC000-0x000000001B0EB000-memory.dmp

memory/1484-26-0x000000001B0EC000-0x000000001B0ED000-memory.dmp

memory/932-27-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

memory/1968-28-0x0000000000000000-mapping.dmp

memory/1332-29-0x0000000000000000-mapping.dmp

memory/1364-30-0x0000000000000000-mapping.dmp

memory/1836-31-0x0000000000000000-mapping.dmp

memory/1364-32-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

memory/1988-33-0x000000001B506000-0x000000001B525000-memory.dmp

memory/1612-34-0x0000000000000000-mapping.dmp

memory/1704-35-0x0000000000000000-mapping.dmp

memory/1948-36-0x0000000000000000-mapping.dmp

memory/1988-39-0x000000001CAA0000-0x000000001CAA1000-memory.dmp

memory/1004-40-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpABDC.tmp.bat

MD5 49545f0ad13c1d9ecd1bb44d459a9248
SHA1 43e30261b8b78e6b945f691e29266b3769feec2b
SHA256 b7a2b153690708e6dd9d82e470eac5089dbe5248f2cc3a9b93a8609b25b83347
SHA512 b6a87f6c41f2075d9ba04d0df345192eac676a3d27e0e019bc7f58ad909fdbb11770577582f925aa92d25209379de09639200ef8e13e91db9047288c443bbfef

memory/1320-42-0x0000000000000000-mapping.dmp

memory/884-43-0x0000000000000000-mapping.dmp

memory/1336-44-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-29 13:52

Reported

2021-03-29 13:55

Platform

win10v20201028

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\update.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 412 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 412 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 412 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 416 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SYSTEM32\cmd.exe
PID 416 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SYSTEM32\cmd.exe
PID 1764 wrote to memory of 3240 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1764 wrote to memory of 3240 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1764 wrote to memory of 2296 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1764 wrote to memory of 2296 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1764 wrote to memory of 2992 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1764 wrote to memory of 2992 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 416 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SYSTEM32\cmd.exe
PID 416 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SYSTEM32\cmd.exe
PID 3404 wrote to memory of 3544 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3404 wrote to memory of 3544 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3404 wrote to memory of 1948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3404 wrote to memory of 1948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 416 -s 3060

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 flingtrainer.com udp
N/A 104.21.35.160:443 flingtrainer.com tcp
N/A 8.8.8.8:53 ctldl.windowsupdate.com udp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 icanhazip.com udp
N/A 104.22.19.188:80 icanhazip.com tcp
N/A 8.8.8.8:53 www.msftconnecttest.com udp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp
N/A 8.8.8.8:53 s2.symcb.com udp
N/A 23.51.123.27:80 s2.symcb.com tcp
N/A 8.8.8.8:53 sv.symcd.com udp
N/A 23.51.123.27:80 sv.symcd.com tcp
N/A 8.8.8.8:53 ocsp.verisign.com udp
N/A 23.51.123.27:80 ocsp.verisign.com tcp
N/A 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
N/A 23.51.123.27:80 evcs-ocsp.ws.symantec.com tcp
N/A 8.8.8.8:53 ctldl.windowsupdate.com udp
N/A 8.8.8.8:53 www.3dmgame.com udp
N/A 180.101.45.57:443 www.3dmgame.com tcp

Files

memory/3640-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

memory/416-5-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 ca0b14884c8aff3242f025f003190dcd
SHA1 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05
SHA256 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21
SHA512 e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 ca0b14884c8aff3242f025f003190dcd
SHA1 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05
SHA256 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21
SHA512 e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47

memory/416-9-0x00007FF8030F0000-0x00007FF803ADC000-memory.dmp

memory/3640-7-0x00007FF8030F0000-0x00007FF803ADC000-memory.dmp

memory/3640-10-0x000001B5F6DC0000-0x000001B5F6DED000-memory.dmp

memory/416-11-0x0000000000840000-0x0000000000841000-memory.dmp

memory/416-14-0x0000000001100000-0x000000000116F000-memory.dmp

memory/3640-15-0x000001B5F78C0000-0x000001B5F78C2000-memory.dmp

memory/3640-16-0x000001B5F78C3000-0x000001B5F78C5000-memory.dmp

memory/416-18-0x0000000001070000-0x0000000001071000-memory.dmp

memory/3640-17-0x000001B5F78C6000-0x000001B5F78C7000-memory.dmp

memory/416-19-0x000000001C2E0000-0x000000001C2E2000-memory.dmp

memory/3640-20-0x000001B5F78C7000-0x000001B5F78C8000-memory.dmp

memory/3640-21-0x000001B5F78C8000-0x000001B5F78CA000-memory.dmp

memory/3640-22-0x000001B5F78CA000-0x000001B5F78CF000-memory.dmp

memory/1764-23-0x0000000000000000-mapping.dmp

memory/3240-24-0x0000000000000000-mapping.dmp

memory/2296-25-0x0000000000000000-mapping.dmp

memory/2992-26-0x0000000000000000-mapping.dmp

memory/3404-27-0x0000000000000000-mapping.dmp

memory/3544-28-0x0000000000000000-mapping.dmp

memory/1948-29-0x0000000000000000-mapping.dmp

memory/1180-30-0x0000028FAD710000-0x0000028FAD711000-memory.dmp