Overview
overview
8Static
static
3EasyMC_Set...64.exe
windows7-x64
7EasyMC_Set...64.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
37zip/linux/x64/7za
ubuntu-18.04-amd64
37zip/mac/x64/7za
macos-10.15-amd64
17zip/win/ia32/7za.exe
windows7-x64
17zip/win/ia32/7za.exe
windows10-2004-x64
17zip/win/x64/7za.exe
windows7-x64
17zip/win/x64/7za.exe
windows10-2004-x64
1EasyMC Launcher.exe
windows7-x64
7EasyMC Launcher.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows7-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1hostsremov...er.exe
windows7-x64
8hostsremov...er.exe
windows10-2004-x64
8libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1Analysis
-
max time kernel
128s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
EasyMC_Setup_v1.6.14_x64.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
EasyMC_Setup_v1.6.14_x64.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
7zip/linux/x64/7za
Resource
ubuntu1804-amd64-20231222-en
ubuntu-18.04-amd64
Behavioral task
behavioral12
Sample
7zip/mac/x64/7za
Resource
macos-20231201-en
macos-10.15-amd64
Behavioral task
behavioral13
Sample
7zip/win/ia32/7za.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
7zip/win/ia32/7za.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
7zip/win/x64/7za.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
7zip/win/x64/7za.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
EasyMC Launcher.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
EasyMC Launcher.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
LICENSES.chromium.html
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
LICENSES.chromium.html
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
d3dcompiler_47.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
d3dcompiler_47.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ffmpeg.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
ffmpeg.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
hostsremover/EasyMCHostsRemover.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
hostsremover/EasyMCHostsRemover.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
libEGL.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
libEGL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
libGLESv2.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral30
Sample
libGLESv2.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
resources/elevate.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
resources/elevate.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
EasyMC Launcher.exe
-
Size
133.1MB
-
MD5
e311796a24989bf6785699a2d3b482c2
-
SHA1
e07b67cdcd393e558b94f9b8800361b69b4d1228
-
SHA256
e65265cd415da534eb3984e50aec17f83596d6a37e7345f165e90fe788027b77
-
SHA512
e52dc0f12da63f025f52fbfd32a2d52c596b50fca40535d8e783e844df60f5e01fbc0c770956bbe5825063453d090b80fd6af5197c1b74c375c77c272f698ff7
-
SSDEEP
1572864:52HVo9Ck+yOBBdJAVwlymAETslfp409t:x9Ctx3tu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation EasyMC Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation EasyMC Launcher.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EasyMC Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EasyMC Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EasyMC Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 EasyMC Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 EasyMC Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 EasyMC Launcher.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2188 EasyMC Launcher.exe 2188 EasyMC Launcher.exe 2188 EasyMC Launcher.exe 2188 EasyMC Launcher.exe 2188 EasyMC Launcher.exe 2564 EasyMC Launcher.exe 1948 EasyMC Launcher.exe 2188 EasyMC Launcher.exe 2188 EasyMC Launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2292 2188 EasyMC Launcher.exe 28 PID 2188 wrote to memory of 2292 2188 EasyMC Launcher.exe 28 PID 2188 wrote to memory of 2292 2188 EasyMC Launcher.exe 28 PID 2292 wrote to memory of 2836 2292 cmd.exe 29 PID 2292 wrote to memory of 2836 2292 cmd.exe 29 PID 2292 wrote to memory of 2836 2292 cmd.exe 29 PID 2188 wrote to memory of 2848 2188 EasyMC Launcher.exe 31 PID 2188 wrote to memory of 2848 2188 EasyMC Launcher.exe 31 PID 2188 wrote to memory of 2848 2188 EasyMC Launcher.exe 31 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2884 2188 EasyMC Launcher.exe 32 PID 2188 wrote to memory of 2564 2188 EasyMC Launcher.exe 34 PID 2188 wrote to memory of 2564 2188 EasyMC Launcher.exe 34 PID 2188 wrote to memory of 2564 2188 EasyMC Launcher.exe 34 PID 2188 wrote to memory of 1948 2188 EasyMC Launcher.exe 33 PID 2188 wrote to memory of 1948 2188 EasyMC Launcher.exe 33 PID 2188 wrote to memory of 1948 2188 EasyMC Launcher.exe 33 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35 PID 2188 wrote to memory of 2804 2188 EasyMC Launcher.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid3⤵PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x2fc,0x310,0x2f0,0x304,0x308,0x147bd29d8,0x147bd29e8,0x147bd29f82⤵PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1032,4474047330759247208,3527696021816676109,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 /prefetch:22⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1032,4474047330759247208,3527696021816676109,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1532 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,4474047330759247208,3527696021816676109,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1032,4474047330759247208,3527696021816676109,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1260 /prefetch:22⤵PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fa872eccedf57098bb66c51046af0178
SHA1132942d10db822672de0d7304a57bfddbc6843d5
SHA256c1d542c6378f32d11787435614a652c06573ba86765ffb298f5bc741e77cd737
SHA512b5ec9be71b1274bf1e97a808ecb357a46edb10a05f292e80c805cef2cde615746872bff69309a64f50102178ac3408ee6ec1894ada03fe41a9acb727e1390f0a
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
40B
MD5cbab840bfeebe15a5a7673db08516867
SHA1ac4142fb0164fc6d12763ae8fbc2e23b183bbbe8
SHA2560ae31fdf1d20f747b24d095ab45e75118153fa3feec9afa877061f5cc314ed3b
SHA5121456119649b0fb8fa96982699dbd73f633d8baec809a2593d84d6da16310c848966bbde2534c53a029529b350fed234df63f7c68f54284acc3366559159404cf
-
Filesize
171KB
MD5bc0fc8e7a69cdfef3f45e0df4f0a6609
SHA152c61c882e2bf7206b6eb4845b0391de411100bd
SHA256d2594ece7f5450a44f7ca50f8ab905060b34474969e7fb80a4d0611f994ce626
SHA512b2ba57d0d323be9ee046d8b101101d1701195f1dc5c75b202769f45e5361c2ed56d085c0e1fc73a48419b8b4ccfe8182cea98c05f42939dee2f420ae72b593b0