96481bdddf7d8b4f3a8a1de6622c2a6cd81d205a83bbf0974f9e683f14b72332

Resubmissions

23/04/2023, 01:29

230423-bwrxwsaa72 8

Analysis

max time kernel
100s
max time network
99s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
23/04/2023, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minecraft-demo.msi
Size

1.9MB
MD5

a5b7fb34e00b1467f73691a426a26eaa
SHA1

d099cbf8ecb7d11141a023f741803fd9c7309daa
SHA256

96481bdddf7d8b4f3a8a1de6622c2a6cd81d205a83bbf0974f9e683f14b72332
SHA512

846c8b14587691d75f7735f92b8ba6134092b20a9406d485fd1e9b29dbabd1b46e227e53632c6ef91987261457a09d36c91ac5b7cba51975ba30370223fcfd61
SSDEEP

24576:8cJF3UeXTBJemGNqLMor/oB2MsBVjVJfzjUnE0WTM9AudAUYvdjM40b:8cz1aQLVU2MsBVZJLF0WEb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	956	msiexec.exe
4	956	msiexec.exe
6	956	msiexec.exe
11	1964	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
2000	MinecraftLauncher.exe
1616	MinecraftLauncher.exe
904	MinecraftLauncher.exe
1400	MinecraftLauncher.exe
508	MinecraftLauncher.exe

Loads dropped DLL 6 IoCs

pid	Process
632	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
1876	MsiExec.exe
632	MsiExec.exe
632	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF	DrvInst.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6cefdc.msi	msiexec.exe
File created	C:\Windows\Installer\{E154B2C8-2F3E-4763-B3D5-E7D34AE39C6B}\minecraft.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4CF.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6cefdc.msi	msiexec.exe
File created	C:\Windows\Installer\6cefdd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6E4.tmp	msiexec.exe
File created	C:\Windows\Installer\6cefdf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cefdd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\volsnap.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\{E154B2C8-2F3E-4763-B3D5-E7D34AE39C6B}\minecraft.ico	msiexec.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\qagentrt.dll,-10 = "Autenticación de mantenimiento del sistema"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Confianza de mismo nivel"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\dnsapi.dll,-103 = "Confianza en el servidor DNS (Sistema de nombres de dominio)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-844 = "Agente de recuperación de datos BitLocker"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-843 = "Cifrado de unidad BitLocker"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C2B451EE3F236743B5D7E3DA43EC9B6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\ProductName = "Minecraft Launcher"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList\PackageName = "minecraft-demo.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\PackageCode = "B5E6FC4EF8B79384CAF31EEE73981E95"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\ProductIcon = "C:\\Windows\\Installer\\{E154B2C8-2F3E-4763-B3D5-E7D34AE39C6B}\\minecraft.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6\8C2B451EE3F236743B5D7E3DA43EC9B6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C2B451EE3F236743B5D7E3DA43EC9B6\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C2B451EE3F236743B5D7E3DA43EC9B6\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1964	msiexec.exe
1964	msiexec.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeSecurityPrivilege	1964	msiexec.exe
Token: SeCreateTokenPrivilege	956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	956	msiexec.exe
Token: SeLockMemoryPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeMachineAccountPrivilege	956	msiexec.exe
Token: SeTcbPrivilege	956	msiexec.exe
Token: SeSecurityPrivilege	956	msiexec.exe
Token: SeTakeOwnershipPrivilege	956	msiexec.exe
Token: SeLoadDriverPrivilege	956	msiexec.exe
Token: SeSystemProfilePrivilege	956	msiexec.exe
Token: SeSystemtimePrivilege	956	msiexec.exe
Token: SeProfSingleProcessPrivilege	956	msiexec.exe
Token: SeIncBasePriorityPrivilege	956	msiexec.exe
Token: SeCreatePagefilePrivilege	956	msiexec.exe
Token: SeCreatePermanentPrivilege	956	msiexec.exe
Token: SeBackupPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	956	msiexec.exe
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeDebugPrivilege	956	msiexec.exe
Token: SeAuditPrivilege	956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	956	msiexec.exe
Token: SeChangeNotifyPrivilege	956	msiexec.exe
Token: SeRemoteShutdownPrivilege	956	msiexec.exe
Token: SeUndockPrivilege	956	msiexec.exe
Token: SeSyncAgentPrivilege	956	msiexec.exe
Token: SeEnableDelegationPrivilege	956	msiexec.exe
Token: SeManageVolumePrivilege	956	msiexec.exe
Token: SeImpersonatePrivilege	956	msiexec.exe
Token: SeCreateGlobalPrivilege	956	msiexec.exe
Token: SeCreateTokenPrivilege	956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	956	msiexec.exe
Token: SeLockMemoryPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeMachineAccountPrivilege	956	msiexec.exe
Token: SeTcbPrivilege	956	msiexec.exe
Token: SeSecurityPrivilege	956	msiexec.exe
Token: SeTakeOwnershipPrivilege	956	msiexec.exe
Token: SeLoadDriverPrivilege	956	msiexec.exe
Token: SeSystemProfilePrivilege	956	msiexec.exe
Token: SeSystemtimePrivilege	956	msiexec.exe
Token: SeProfSingleProcessPrivilege	956	msiexec.exe
Token: SeIncBasePriorityPrivilege	956	msiexec.exe
Token: SeCreatePagefilePrivilege	956	msiexec.exe
Token: SeCreatePermanentPrivilege	956	msiexec.exe
Token: SeBackupPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	956	msiexec.exe
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeDebugPrivilege	956	msiexec.exe
Token: SeAuditPrivilege	956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	956	msiexec.exe
Token: SeChangeNotifyPrivilege	956	msiexec.exe
Token: SeRemoteShutdownPrivilege	956	msiexec.exe
Token: SeUndockPrivilege	956	msiexec.exe
Token: SeSyncAgentPrivilege	956	msiexec.exe
Token: SeEnableDelegationPrivilege	956	msiexec.exe
Token: SeManageVolumePrivilege	956	msiexec.exe
Token: SeImpersonatePrivilege	956	msiexec.exe
Token: SeCreateGlobalPrivilege	956	msiexec.exe
Token: SeCreateTokenPrivilege	956	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
956	msiexec.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
956	msiexec.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe
1564	taskmgr.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 632	1964	msiexec.exe	29
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1588	1964	msiexec.exe	34
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 1964 wrote to memory of 1876	1964	msiexec.exe	35
PID 632 wrote to memory of 2000	632	MsiExec.exe	37
PID 632 wrote to memory of 2000	632	MsiExec.exe	37
PID 632 wrote to memory of 2000	632	MsiExec.exe	37
PID 632 wrote to memory of 2000	632	MsiExec.exe	37
PID 632 wrote to memory of 2000	632	MsiExec.exe	37
PID 632 wrote to memory of 2000	632	MsiExec.exe	37
PID 632 wrote to memory of 2000	632	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\minecraft-demo.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 32AD24220EA30F8DA1A5C1033C991C4E C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
    "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
    3⤵
    - Executes dropped EXE
    PID:2000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1B27DC5127BA05A746B22F7617B703C4
  2⤵
  - Loads dropped DLL
  PID:1588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8678E53853BBDC5E0DA4D0F836D0C010 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:832

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000002B8"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1704

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1564

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
"C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
"C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
1⤵
- Executes dropped EXE
PID:904

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
"C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
1⤵
- Executes dropped EXE
PID:1400

C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
"C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
1⤵
- Executes dropped EXE
PID:508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6cefde.rbs

Filesize
8KB

MD5
eda1800bfbddeb1ae51006f541084558

SHA1
1edf7a17e27743d4c32fe7a7664db4142c7bd358

SHA256
cbe1ca17ad3614bdb154e0e7a8ee226af3cef5063437a3c1bc4fcb9a73a09446

SHA512
b6bc91f79a8e712ee4550bd9a486fafee8be5d45456745b400b2faddde4963cca857c24f94232256fbf525ae2e70ebb976f4ae6282adfcb2376253f35ded5be2

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
1KB

MD5
152190fc45662ec709327c59b7a1e939

SHA1
8512e2d95a99d80280c94980c01c33b3c783265d

SHA256
47ae332007e428aeae406d98121e7a095823989f37cee759e74df170f483d3ad

SHA512
156ba1a0991222d14362d0adeea7c6a1e78efa5d0241509da7ed9d67206b2b4f0f3f7a1e8bfb9f0be658914be99955875615dc85a2dc0830990dfefec1e83984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_6C37B248F221D83ABA8B4DEB8AF8C3C5

Filesize
1KB

MD5
0f6bd045045ad8a7b1c582ff7e515429

SHA1
f4bb79664c840cd5079dba39607e2f1ba47bfeb1

SHA256
498306773b9f36da0972bb598b55db311578f6f0372f1347ee3cf6feefe4b67c

SHA512
bb69de32906660df8995c509beb840e8e57d015d80d5a2f36952bcd43637b00d03c1d374cf8452b5abf2d51e005d09e86648a00a021803f907e45000707775ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
84dc31f5c5e82068de2aa1ca93e2727f

SHA1
0e5cf5d53145f7a36ed1b36528ea11b7aa2035a3

SHA256
fdae7d44cdc0c2b2645149b9832a13bd775db4214facaed6ae809d12d1a415d2

SHA512
23fbda88927b6467459f381a06c7141258f8b374c5c6c6de06a88d86a93f7490cee2b5d21d3efb5379e700164ab47dee02d71667a444dbd4fd6966fd80ef469a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ee8e8c27584225722f6fea524ded333

SHA1
5be716788d4bdfaf617755c734c05986b8e3e1cd

SHA256
c2a3517cd813a7406ac113131eb779b3b7601e27307389b6a806fa12b63cddbd

SHA512
e42656535c22098b6cb74861b0c2bca2d2de6a8a82eedc732977df6c03103d6b5b2804a1a8a03eb403e5dd9824d5a20052d8b99d7f8dd319e8189591fa88debf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f62cb8d62ec6315dfa87845076c2498

SHA1
7893c349ed1c0ed8ea336efb9e5e8472c32b8c73

SHA256
7643774ffa5ae801dff841c251c27d7af82a3678a66ed801b828643f9e91192e

SHA512
1637839036fdfec4aad737a89599cbfbd8b87bc3c65a66acc23b9201fa9ecede2d82d2a0a6f2abcf93edc645c6c99786192db0ca9ef7fb21b3433ff0039b6c06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
44e0cc0d3f61a90739b9a90511ea7bbe

SHA1
91e759d903edcc0391b5d7288ef36fc488abbdea

SHA256
98e5912fe0e40c6818e88372754e0a856f3e4e0f69a67becf8646285a8918392

SHA512
a8725fbdb43370129d7040e557090c398c351de2b860f9b6c007b3fbf3d0261077f273ef9ef17f3d2908d23649fa5e2db2105724a40397de8244c4604798e86d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_6C37B248F221D83ABA8B4DEB8AF8C3C5

Filesize
398B

MD5
3bca0da2e5ac7db156d6cb8ead6ecf58

SHA1
e7f619184af3604323ee8b40fde6a697da952e9b

SHA256
89a5e1eb8fc8d99a1a760e544df7cd5b4000291b4cb34285c3c649b7a75c3c54

SHA512
e6f634a1b0a159e063e96ac021715620de55303fe8567f0820aee93342146db617a5b1257a7ec6d7b825d13d8fbddb78a1d6e1ac2fc13329655a45403ce25de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ddc906c7e964d7d8994fd8767e955515

SHA1
b68411cdbf646cfe606f17144c87490a1be502bb

SHA256
b6baa0638dd0c1aa3c3aa730de15753eed4f82adabcf1a6d6eab19fe0215eb27

SHA512
df504f1ac309efb52992e92dd84aa09a7cc697e16f03ad5c4d5b68a4b88f61f18a452b0cce047741d40953fa695de06f11dab297ff3c0d6f73c33122679f0787

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI161C.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI78E3.tmp

Filesize
87KB

MD5
48eaf9d4ccf75bc06bbc5d33e78b7fff

SHA1
c710753c265b148f27ff3f358bb0ee980ab46423

SHA256
9ae2608edd49d2c319bb7bcfc24550bd9fb88b2f100fe90222a6fc55ca43c589

SHA512
505f4366f7258df3a88af77dde8335709063dd43298bf0ff8529992d53a60ad8de7d7ac65533f1ffc3a7f3ad4ca3a04c85366bfb9a14b47221609e6d36951d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B23.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\nativelog.txt

Filesize
698B

MD5
e7d410715665725b4933cc1496e486db

SHA1
123dc60d6073f1fd75c16e8c4369bae9434be6cb

SHA256
6457c2ea2f5bf55947c09917b5f67f6b37bcf97537ca3d80d5a1631ed44bf3c7

SHA512
5ab48cd525ab1cc9ca28a09f6a38cfe60a5c45c1bfd10884afb6d5a9617dc2cb4b96840735a5906aced426335b77014eb5cc983c45589e867cf206f2fba2821c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\nativelog.txt

Filesize
698B

MD5
14e1f77ec81e7ed5f7eea645da9d9df9

SHA1
0bab04e9e8a90b832a13fb5d65f2bf541d368759

SHA256
cb8759462ab8298125114503982f38a6abdb132aebbfc28958a897a969be2636

SHA512
d5b0f8e5a133de6121b117ce468bd17f7f9732ec6d9ec5fd9e2bbf1feb3711709df9b3bc9101431a66e22b631fcb6635919d32e7410c0bf835d1bd041a2960f0

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\nativelog.txt

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\nativelog.txt

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Windows\Installer\6cefdc.msi

Filesize
1.9MB

MD5
a5b7fb34e00b1467f73691a426a26eaa

SHA1
d099cbf8ecb7d11141a023f741803fd9c7309daa

SHA256
96481bdddf7d8b4f3a8a1de6622c2a6cd81d205a83bbf0974f9e683f14b72332

SHA512
846c8b14587691d75f7735f92b8ba6134092b20a9406d485fd1e9b29dbabd1b46e227e53632c6ef91987261457a09d36c91ac5b7cba51975ba30370223fcfd61

Download Submit
C:\Windows\Installer\MSIF3C5.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSIF4CF.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSIF6E4.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\MSIF6E4.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF

Filesize
5KB

MD5
8e2753fa39b94c95bbfd6c3077055f85

SHA1
25f55e72210ab3356987f24295723170b23c16da

SHA256
ea02a94faad1d2a2e3f0f31aa3f4c68ba42cd3aaa7ff17fd2b30c288fa789566

SHA512
34f911968fa87df9a41605583499ec180ea233aca506b81931e981d157d32ba9af8d088d18253cd2d7996d3a75c6409bc121eb7a8f95b11a36a2c564ad9f4ee4

Download Submit
\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
1.5MB

MD5
c80fe4ab07993e915fdfbb88fd591554

SHA1
a29f15b096dbe3de5397bccbe7964ba760371421

SHA256
f391a3c42bd3cc19bf76cf62de164b263ee2a6e9b3994120c3c613fb30af7476

SHA512
c03af4ee6363219cf2a9a8306f6bea5c1182908bafa7b5f266c293bff7938cd7040aecf5dbd9304fb4ee03c95e5e6804e48da6589b786c5e233f303365838a67

Download Submit
\Users\Admin\AppData\Local\Temp\MSI161C.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
\Users\Admin\AppData\Local\Temp\MSI78E3.tmp

Filesize
87KB

MD5
48eaf9d4ccf75bc06bbc5d33e78b7fff

SHA1
c710753c265b148f27ff3f358bb0ee980ab46423

SHA256
9ae2608edd49d2c319bb7bcfc24550bd9fb88b2f100fe90222a6fc55ca43c589

SHA512
505f4366f7258df3a88af77dde8335709063dd43298bf0ff8529992d53a60ad8de7d7ac65533f1ffc3a7f3ad4ca3a04c85366bfb9a14b47221609e6d36951d77

Download Submit
\Windows\Installer\MSIF3C5.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
\Windows\Installer\MSIF4CF.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
\Windows\Installer\MSIF6E4.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
memory/1564-127-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1564-126-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1564-189-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1564-188-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download