1d9f66794a5af4e409a6c6b32a14d674cc1ea96f69e2cf2acb3c7b997750d5f8

Analysis

max time kernel
201s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinecraftInstaller.msi
Size

2.5MB
MD5

22991d4ef03118107a943934d92319d1
SHA1

832ea164d844401f9eced5bf84d45ad4b273cf8c
SHA256

1d9f66794a5af4e409a6c6b32a14d674cc1ea96f69e2cf2acb3c7b997750d5f8
SHA512

79a87b895184188d987f9390f28c20ab4d999d953f9c3d3f92f9d0069a0dc6490c4ef69603e12b62554d809a08b97a79b12f98055b0ebc6a91d5215e3b95fd33
SSDEEP

49152:69wfmqHrSa1uL7TFSCEeQ6EOMhKqL0WCb:+7a1ugeQVhLha

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

5 2420 msiexec.exe
6 2420 msiexec.exe
11 2420 msiexec.exe
Executes dropped EXE 3 IoCs

Processes:

MinecraftLauncher.exeNativeUpdater.exeMinecraftLauncher.exe

pid process

4204 MinecraftLauncher.exe
2768 NativeUpdater.exe
4588 MinecraftLauncher.exe
Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

3012 MsiExec.exe
2632 MsiExec.exe
2632 MsiExec.exe
2120 MsiExec.exe
3012 MsiExec.exe

flow	pid	process
5	2420	msiexec.exe
6	2420	msiexec.exe
11	2420	msiexec.exe

pid	process
4204	MinecraftLauncher.exe
2768	NativeUpdater.exe
4588	MinecraftLauncher.exe

pid	process
3012	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2120	MsiExec.exe
3012	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exeMinecraftLauncher.exe

description	ioc	process
File created	C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe	msiexec.exe
File created	C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\tools\NativeUpdater.exe	MinecraftLauncher.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e591ae1.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{733C3ACB-432D-4880-B0E1-660000D7974D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI315A.tmp	msiexec.exe
File created	C:\Windows\Installer\e591ae1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2718.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI240A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{733C3ACB-432D-4880-B0E1-660000D7974D}\minecraft.ico	msiexec.exe
File created	C:\Windows\Installer\e591ae3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{733C3ACB-432D-4880-B0E1-660000D7974D}\minecraft.ico	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\ProductName = "Minecraft Launcher"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\PackageCode = "54FE00570550045418568622471E508D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\ProductIcon = "C:\\Windows\\Installer\\{733C3ACB-432D-4880-B0E1-660000D7974D}\\minecraft.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BCA3C337D23408840B1E6600007D79D4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\PackageName = "MinecraftInstaller.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BCA3C337D23408840B1E6600007D79D4\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6\BCA3C337D23408840B1E6600007D79D4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Language = "1033"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exemspaint.exe

pid process

4324 msiexec.exe
4324 msiexec.exe
220 mspaint.exe
220 mspaint.exe

pid	process
4324	msiexec.exe
4324	msiexec.exe
220	mspaint.exe
220	mspaint.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	4324	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe
Token: SeRemoteShutdownPrivilege	2420	msiexec.exe
Token: SeUndockPrivilege	2420	msiexec.exe
Token: SeSyncAgentPrivilege	2420	msiexec.exe
Token: SeEnableDelegationPrivilege	2420	msiexec.exe
Token: SeManageVolumePrivilege	2420	msiexec.exe
Token: SeImpersonatePrivilege	2420	msiexec.exe
Token: SeCreateGlobalPrivilege	2420	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe
Token: SeRemoteShutdownPrivilege	2420	msiexec.exe
Token: SeUndockPrivilege	2420	msiexec.exe
Token: SeSyncAgentPrivilege	2420	msiexec.exe
Token: SeEnableDelegationPrivilege	2420	msiexec.exe
Token: SeManageVolumePrivilege	2420	msiexec.exe
Token: SeImpersonatePrivilege	2420	msiexec.exe
Token: SeCreateGlobalPrivilege	2420	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2420 msiexec.exe
2420 msiexec.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mspaint.exe

pid process

220 mspaint.exe
220 mspaint.exe
220 mspaint.exe
220 mspaint.exe

pid	process
2420	msiexec.exe
2420	msiexec.exe

pid	process
220	mspaint.exe
220	mspaint.exe
220	mspaint.exe
220	mspaint.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

msiexec.exeMsiExec.exeMinecraftLauncher.exeNativeUpdater.exe

description	pid	process	target process
PID 4324 wrote to memory of 3012	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 3012	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 3012	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 3440	4324	msiexec.exe	srtasks.exe
PID 4324 wrote to memory of 3440	4324	msiexec.exe	srtasks.exe
PID 4324 wrote to memory of 2632	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 2632	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 2632	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 2120	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 2120	4324	msiexec.exe	MsiExec.exe
PID 4324 wrote to memory of 2120	4324	msiexec.exe	MsiExec.exe
PID 3012 wrote to memory of 4204	3012	MsiExec.exe	MinecraftLauncher.exe
PID 3012 wrote to memory of 4204	3012	MsiExec.exe	MinecraftLauncher.exe
PID 3012 wrote to memory of 4204	3012	MsiExec.exe	MinecraftLauncher.exe
PID 4204 wrote to memory of 2768	4204	MinecraftLauncher.exe	NativeUpdater.exe
PID 4204 wrote to memory of 2768	4204	MinecraftLauncher.exe	NativeUpdater.exe
PID 4204 wrote to memory of 2768	4204	MinecraftLauncher.exe	NativeUpdater.exe
PID 2768 wrote to memory of 4588	2768	NativeUpdater.exe	MinecraftLauncher.exe
PID 2768 wrote to memory of 4588	2768	NativeUpdater.exe	MinecraftLauncher.exe
PID 2768 wrote to memory of 4588	2768	NativeUpdater.exe	MinecraftLauncher.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4BB4CD8914E895D5C7E0CF4A392C5450 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
"C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4204

C:\Program Files (x86)\Minecraft Launcher\tools\NativeUpdater.exe
tools\NativeUpdater.exe MinecraftLauncher.exe MinecraftLauncher.exe.tmp --nativeLauncherVersion 1000 --nativeLauncherVersion 1000
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
MinecraftLauncher.exe --nativeLauncherVersion 1000 --nativeLauncherVersion 1000
5⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3440

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1F8619000703765C91B1262227C9298F
2⤵
- Loads dropped DLL
PID:2632

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F0063FBED9E4A63F5C92CBEF4983744F E Global\MSI0000
2⤵
- Loads dropped DLL
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4424

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
Filesize
3.3MB

MD5
0501b8eb39f00dcaa3c89ccec2fbde17

SHA1
cb7b82a5d02a2b5ea9c16b5083015c832b556405

SHA256
161ba4c1b21cd20b15573f0ccfc4a5cbab8dedd94c722cd60afb8551d8d91dc2

SHA512
4ab6a3fd31c7551578f07ada264bb93a22eb16f75fdbcfaecf4c0861535a2f631082da5f6003ff9f57fda231e783cbf200caa6a6d6bdefbe08d64f33c67855b3

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
Filesize
3.3MB

MD5
0501b8eb39f00dcaa3c89ccec2fbde17

SHA1
cb7b82a5d02a2b5ea9c16b5083015c832b556405

SHA256
161ba4c1b21cd20b15573f0ccfc4a5cbab8dedd94c722cd60afb8551d8d91dc2

SHA512
4ab6a3fd31c7551578f07ada264bb93a22eb16f75fdbcfaecf4c0861535a2f631082da5f6003ff9f57fda231e783cbf200caa6a6d6bdefbe08d64f33c67855b3

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
Filesize
3.2MB

MD5
e8c86a94df2f0a4c5edfa59cfc420329

SHA1
4212cb446a2dce87225ca20ba45e10befb084062

SHA256
60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1

SHA512
273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe.tmp
Filesize
3.2MB

MD5
e8c86a94df2f0a4c5edfa59cfc420329

SHA1
4212cb446a2dce87225ca20ba45e10befb084062

SHA256
60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1

SHA512
273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e

Download Submit
C:\Program Files (x86)\Minecraft Launcher\tools\NativeUpdater.exe
Filesize
1.1MB

MD5
72e1747a895001b1a300ffcad1edc9a6

SHA1
111e67014919bf1a42859951abdd945e4080e883

SHA256
2bbf4862a5900db35050e1679e08bb91c879c112f3259bfbc483cb26aad09eef

SHA512
31af0b629fe79d6fcbdde4f7928c66f59773ad47971ca9f091f1e00e9e9f9c6ca254732040d2e1b764fcad2f2997c5e8e15247f928e97528b0bf36aca3be5ba1

Download Submit
C:\Program Files (x86)\Minecraft Launcher\tools\NativeUpdater.exe
Filesize
1.1MB

MD5
72e1747a895001b1a300ffcad1edc9a6

SHA1
111e67014919bf1a42859951abdd945e4080e883

SHA256
2bbf4862a5900db35050e1679e08bb91c879c112f3259bfbc483cb26aad09eef

SHA512
31af0b629fe79d6fcbdde4f7928c66f59773ad47971ca9f091f1e00e9e9f9c6ca254732040d2e1b764fcad2f2997c5e8e15247f928e97528b0bf36aca3be5ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize
471B

MD5
2fb45da83863bdd651aa1ec88cfc4d4d

SHA1
2634c8e2e479d7e7d6bb0be90662531bbcc929fc

SHA256
cc5125bf64923f3c28ba199c75ef3a69ac488abbdac56fe082bc240e26353456

SHA512
b5311ed92c09192ca3957e28605945fb747527da38ca2c7b9fa4ed53d4e1fbd5e9a3786d0e0ca2fd48deb981bbcb6724a8194b27df0c67a27f1ab55a0d6ea44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_6BE73709C7F4D409D3FEEFF27BA07C40
Filesize
471B

MD5
d021ee1d5475bc42be5524f4a12ca8ff

SHA1
47e9544efd0634a63666f3ae3a1b1bbd89d08cdd

SHA256
9c92ba20fe4aca9af71a61f1e6b017687dbc01ed487806a1aa3d26942208444c

SHA512
29fea32479480ad1ae3e4ec7b509d186b5c26ee71600337f5827b50f317bce13d2340860b8d593fc139aea9188db4a2587b537949427df80683e2c2bf7d53ed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize
404B

MD5
f98593d2139a4665d6947a9728e53e55

SHA1
6b052016f438631c97159d77407937e0b0678341

SHA256
7b493014a7fe5172b92aa1b391f3a4f45106f8d0abd33f0bfa677ad9378e5c30

SHA512
2d0688364b2000306fb67c1d420e91f960717aa85405d5a85505f1f5bb510f539e8008dd9e80d126b610323d87254a322d0494a0efbccf30775b6690fdddf742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_6BE73709C7F4D409D3FEEFF27BA07C40
Filesize
400B

MD5
5585c8c37c06e314bccff2676a7cd330

SHA1
aa4d74d51a21eb18eb67cc4045ec5c6d673cd334

SHA256
9da19f6cb4acef0182174abc7a1f472ee5636b89beb7600d3c9677d9b79c5b84

SHA512
3f6a5a2ff111f7ec1136c303c94fdea73618ca1e9b5fb0aaa380040135efb5cf469e0376eb8d1256b92840b1aeaea9a8dda60d4d5b5d3cfc2b9b2fe84f5aabfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6925.tmp
Filesize
87KB

MD5
48eaf9d4ccf75bc06bbc5d33e78b7fff

SHA1
c710753c265b148f27ff3f358bb0ee980ab46423

SHA256
9ae2608edd49d2c319bb7bcfc24550bd9fb88b2f100fe90222a6fc55ca43c589

SHA512
505f4366f7258df3a88af77dde8335709063dd43298bf0ff8529992d53a60ad8de7d7ac65533f1ffc3a7f3ad4ca3a04c85366bfb9a14b47221609e6d36951d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6925.tmp
Filesize
87KB

MD5
48eaf9d4ccf75bc06bbc5d33e78b7fff

SHA1
c710753c265b148f27ff3f358bb0ee980ab46423

SHA256
9ae2608edd49d2c319bb7bcfc24550bd9fb88b2f100fe90222a6fc55ca43c589

SHA512
505f4366f7258df3a88af77dde8335709063dd43298bf0ff8529992d53a60ad8de7d7ac65533f1ffc3a7f3ad4ca3a04c85366bfb9a14b47221609e6d36951d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI71DC.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI71DC.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt
Filesize
2KB

MD5
f87a2d5e1c53b4ff6850676792495287

SHA1
cfba9f634f59ae741086127490812ea6e2794e71

SHA256
1a453df94e8efc7cbbd69f5b4c2d7fb622310c24459126c43fd49317af79ac2a

SHA512
5734cd8e21f0d3b8a1d89509aac93531c77823e4d50ce851b847767e662bd7c6150fd384d22ed48291b4548744ef53aec3a03016ab69933ba699538dc69dd238

Download Submit
C:\Windows\Installer\MSI240A.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSI240A.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSI2718.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSI2718.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSI315A.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSI315A.tmp
Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
beaf929ecf220c389068832043d7f391

SHA1
49f7e5c7264eea9dffe1dc8755d737742fca51c9

SHA256
3e42a093910c87adf14521bd638c9f0e195c66ef702741af4243839ca61fedf1

SHA512
ece017fff3993ed5ca25ecbc845119a1c6a4c1b48ee8d43c655024a80723664eaefd06dfdec4377ece4d428d2384e8ef514c807142ba2a9e0b2d55f50374b608

Download Submit
\??\Volume{d2609e0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ff1845d3-5f21-42f6-a14e-a224cdbdca96}_OnDiskSnapshotProp
Filesize
5KB

MD5
83282b2c02316e188de6349c60d6b865

SHA1
07c1203cbfa9bfbd05493bb957f91dab84e13750

SHA256
4cf143d6f1c03abff6c6801e0b5e841a9896926b3effa49763d27f192cc2fc01

SHA512
8114faf4b3764fec04389067c07ddf8a7cb423822242b2a6b11a4d02b195b60359765231685a6cf6406b329453f074701ea882d48913e304db1c310c5e99ad88

Download Submit
memory/2120-147-0x0000000000000000-mapping.dmp

Download
memory/2632-140-0x0000000000000000-mapping.dmp

Download
memory/2768-155-0x0000000000000000-mapping.dmp

Download
memory/3012-132-0x0000000000000000-mapping.dmp

Download
memory/3440-135-0x0000000000000000-mapping.dmp

Download
memory/4204-153-0x0000000000000000-mapping.dmp

Download
memory/4588-159-0x0000000000000000-mapping.dmp

Download