eb71dad7e3c7fc10f128a9f4c1aebdb527eb4192e3525010322559ca9b63d610

Analysis

max time kernel
141s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EasyMC Launcher.exe
Size

133.1MB
MD5

e311796a24989bf6785699a2d3b482c2
SHA1

e07b67cdcd393e558b94f9b8800361b69b4d1228
SHA256

e65265cd415da534eb3984e50aec17f83596d6a37e7345f165e90fe788027b77
SHA512

e52dc0f12da63f025f52fbfd32a2d52c596b50fca40535d8e783e844df60f5e01fbc0c770956bbe5825063453d090b80fd6af5197c1b74c375c77c272f698ff7
SSDEEP

1572864:52HVo9Ck+yOBBdJAVwlymAETslfp409t:x9Ctx3tu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	EasyMC Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	EasyMC Launcher.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EasyMC Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	EasyMC Launcher.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
5052	EasyMC Launcher.exe
544	EasyMC Launcher.exe
544	EasyMC Launcher.exe
2256	EasyMC Launcher.exe
2256	EasyMC Launcher.exe
4980	EasyMC Launcher.exe
4980	EasyMC Launcher.exe
4980	EasyMC Launcher.exe
4980	EasyMC Launcher.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3056	5052	EasyMC Launcher.exe	87
PID 5052 wrote to memory of 3056	5052	EasyMC Launcher.exe	87
PID 3056 wrote to memory of 3588	3056	cmd.exe	89
PID 3056 wrote to memory of 3588	3056	cmd.exe	89
PID 5052 wrote to memory of 1352	5052	EasyMC Launcher.exe	90
PID 5052 wrote to memory of 1352	5052	EasyMC Launcher.exe	90
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 4992	5052	EasyMC Launcher.exe	91
PID 5052 wrote to memory of 2256	5052	EasyMC Launcher.exe	92
PID 5052 wrote to memory of 2256	5052	EasyMC Launcher.exe	92
PID 5052 wrote to memory of 544	5052	EasyMC Launcher.exe	93
PID 5052 wrote to memory of 544	5052	EasyMC Launcher.exe	93
PID 5052 wrote to memory of 4980	5052	EasyMC Launcher.exe	99
PID 5052 wrote to memory of 4980	5052	EasyMC Launcher.exe	99

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:3588
- C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x458,0x468,0x47c,0x460,0x49c,0x7ff72fb729d8,0x7ff72fb729e8,0x7ff72fb729f8
  2⤵
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1528,8135126098708978994,993224973972037765,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 /prefetch:2
  2⤵
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,8135126098708978994,993224973972037765,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1528,8135126098708978994,993224973972037765,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2336 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1528,8135126098708978994,993224973972037765,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad\settings.dat

Filesize
40B

MD5
221f825ec48862aaac5157e5db7ace39

SHA1
70aa083899485f8bbc9cc4201ec2adf42a96bb88

SHA256
8199aa8e7dc6d41f05fa3967af9e4c510481e395dfb3cb00d66bd768b5f4c98c

SHA512
f30a6b669781d2ec78962742f165c15126260cb524e2d48861025596f9a4b5596df5728ba17dc7cba4b3fd1ce2aade9f5d9189850c3ebbb4651b0e8f051f416e

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State

Filesize
875B

MD5
cf1f98a30ef55aa3d618cad0aa7607f4

SHA1
527af837af1f3cfe101c8771044c1a51ad63dce4

SHA256
d608d1b1538ceb7fd3d1eaa1f0fd6e1c91b4ffa1af47b4409d12ed69e7c878e2

SHA512
ce018a8db57d342ea871d2486b7681ce263ecbf6643172f159acd2da85c0f0bb00c26b94ff453fb0917ebff1805c2aab831cfe432a6fb549e2b44ab97bcbfb60

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State~RFe58a563.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\TransportSecurity

Filesize
371B

MD5
8db7cf0de21397667394b342c8784de9

SHA1
7fbf8d57b11f977f627c135efae07acc0f4a72b5

SHA256
9ac151ffa153fe6e84d98d89b07bd5b06260b743b014627418839a0eb29f1207

SHA512
922b52f708855f43ab9fafd4dbd5da511127786dcaabe64fbfa6fcd146cb86eac2a0c89d26443e813a5be1945266072a2a6c673fb70d00819773bcb66ad31582

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\TransportSecurity~RFe58a738.TMP

Filesize
371B

MD5
8a154089d173ff3e4e885d9b02af2997

SHA1
e416bfc01f05725a07e06da370e8678773bc255b

SHA256
4bed46da1253c6d0d0a0df116cb6e60bfb59e0a1c5f53c8144049b85dad0da9c

SHA512
5747e421a1ecb0e181325f9a261e7e6f60d9b1acc5e42d23cf7444023d1bfdde0d76b5a5d3486b95eeb7df401c84a4b633921a79baee035a75c2e8363fccf49f

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\dc9354ac-457e-42bb-9b42-3cd6c1c68db9.tmp

Filesize
996B

MD5
7900c11e6f07aa844450fe091e752e8d

SHA1
51d798af2a88e774277a7e40c350286e6f7273ae

SHA256
ef587247c4c24075d3e5ee8c59ca11e399ce4bd82c50047a427bf6118e80933a

SHA512
d6fa09b5d2ee2195a281836352b7ab1b4e24e28d5402e7828504a545186f11c7930fe1850d40267466e48e4181093d3802a3983f8f55b38a1bf56d821e24e8b3

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\sentry\scope_v2.json

Filesize
171KB

MD5
1b93a2c2a1ba3b384031faf10a906b67

SHA1
d80dc947c2fc891280537eadef2eee33d05c2cb5

SHA256
01597756ed71cc7d06f9628ddec50af4f4a80a1c24ada01bcbb1ee1b30384bdf

SHA512
b5f8903a6e17da6ffc801ebfdb9741ee732c20d2dd10df5b352973b58d29cb0c74fa4fefd3a984d9b33fd1f219964abc44654bc2f5c8bf8668d0bc549006bea3

Download Submit
memory/4980-132-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-131-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-133-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-138-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-137-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-140-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-139-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-142-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-141-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4980-143-0x000001DB90BF0000-0x000001DB90BF1000-memory.dmp

Filesize
4KB

Download
memory/4992-12-0x00007FFB8B360000-0x00007FFB8B361000-memory.dmp

Filesize
4KB

Download