161ba4c1b21cd20b15573f0ccfc4a5cbab8dedd94c722cd60afb8551d8d91dc2

Analysis

max time kernel
665s
max time network
673s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-04-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minecraft.exe
Size

3.3MB
MD5

0501b8eb39f00dcaa3c89ccec2fbde17
SHA1

cb7b82a5d02a2b5ea9c16b5083015c832b556405
SHA256

161ba4c1b21cd20b15573f0ccfc4a5cbab8dedd94c722cd60afb8551d8d91dc2
SHA512

4ab6a3fd31c7551578f07ada264bb93a22eb16f75fdbcfaecf4c0861535a2f631082da5f6003ff9f57fda231e783cbf200caa6a6d6bdefbe08d64f33c67855b3
SSDEEP

49152:FyFWKUkiGqdO+huQ0Mm5aIHdkQ3qBge6jXdTv8JGo2WEWxm5PMdFH0U7T0f6mfb+:FmUkifdnI3eo8Uo2WElEk+

Score

8^/10

microsoft discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Minecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Control Panel\International\Geo\Nation	Minecraft.exe

Deletes itself 1 IoCs

Processes:

NativeUpdater.exe

pid process

212 NativeUpdater.exe

Executes dropped EXE 25 IoCs

Processes:

NativeUpdater.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeNativeUpdater.exeMinecraft.exeNativeUpdater.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exe

pid	process
212	NativeUpdater.exe
1468	Minecraft.exe
68	Minecraft.exe
220	Minecraft.exe
4704	Minecraft.exe
3752	Minecraft.exe
4796	Minecraft.exe
3036	Minecraft.exe
1760	Minecraft.exe
4264	Minecraft.exe
3032	NativeUpdater.exe
4948	Minecraft.exe
3680	NativeUpdater.exe
4024	Minecraft.exe
4416	Minecraft.exe
2260	Minecraft.exe
2348	Minecraft.exe
888	Minecraft.exe
2236	Minecraft.exe
4608	Minecraft.exe
3032	Minecraft.exe
3376	Minecraft.exe
4484	Minecraft.exe
784	Minecraft.exe
4452	Minecraft.exe

Loads dropped DLL 64 IoCs

Processes:

Minecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exe

pid	process
1468	Minecraft.exe
1468	Minecraft.exe
1468	Minecraft.exe
68	Minecraft.exe
68	Minecraft.exe
68	Minecraft.exe
68	Minecraft.exe
68	Minecraft.exe
3752	Minecraft.exe
3752	Minecraft.exe
3752	Minecraft.exe
220	Minecraft.exe
220	Minecraft.exe
220	Minecraft.exe
4704	Minecraft.exe
4704	Minecraft.exe
4704	Minecraft.exe
4796	Minecraft.exe
4796	Minecraft.exe
3036	Minecraft.exe
3036	Minecraft.exe
3036	Minecraft.exe
4796	Minecraft.exe
1760	Minecraft.exe
1760	Minecraft.exe
1760	Minecraft.exe
4024	Minecraft.exe
4024	Minecraft.exe
4024	Minecraft.exe
4416	Minecraft.exe
4416	Minecraft.exe
4416	Minecraft.exe
4416	Minecraft.exe
4416	Minecraft.exe
4416	Minecraft.exe
2260	Minecraft.exe
2260	Minecraft.exe
2260	Minecraft.exe
2348	Minecraft.exe
2348	Minecraft.exe
888	Minecraft.exe
888	Minecraft.exe
888	Minecraft.exe
2348	Minecraft.exe
2236	Minecraft.exe
2236	Minecraft.exe
2236	Minecraft.exe
4608	Minecraft.exe
4608	Minecraft.exe
4608	Minecraft.exe
3032	Minecraft.exe
3032	Minecraft.exe
3032	Minecraft.exe
3376	Minecraft.exe
3376	Minecraft.exe
3376	Minecraft.exe
3376	Minecraft.exe
3376	Minecraft.exe
3376	Minecraft.exe
4452	Minecraft.exe
4452	Minecraft.exe
4452	Minecraft.exe
4484	Minecraft.exe
4484	Minecraft.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\live.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\live.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4d46dab7ca90da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cf1a2ebdca90da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E15CDBE8-7114-4647-9004-AE1FB4D13BC5} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\live.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\live.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\fpt.live.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\signup.live.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 1563b8bdca90da01	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Minecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exeMinecraft.exe

pid	process
68	Minecraft.exe
68	Minecraft.exe
3752	Minecraft.exe
3752	Minecraft.exe
220	Minecraft.exe
220	Minecraft.exe
4704	Minecraft.exe
4704	Minecraft.exe
3036	Minecraft.exe
3036	Minecraft.exe
4796	Minecraft.exe
4796	Minecraft.exe
1760	Minecraft.exe
1760	Minecraft.exe
1760	Minecraft.exe
1760	Minecraft.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

NativeUpdater.exe

pid process

212 NativeUpdater.exe

pid	process
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Minecraft.exe

description	pid	process
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe
Token: SeShutdownPrivilege	4024	Minecraft.exe
Token: SeCreatePagefilePrivilege	4024	Minecraft.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Minecraft.exe

pid process

1468 Minecraft.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

4960 MicrosoftEdge.exe
4224 MicrosoftEdgeCP.exe
224 MicrosoftEdgeCP.exe
4224 MicrosoftEdgeCP.exe

pid	process
4960	MicrosoftEdge.exe
4224	MicrosoftEdgeCP.exe
224	MicrosoftEdgeCP.exe
4224	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Minecraft.exeNativeUpdater.exeMinecraft.exeMinecraft.exeNativeUpdater.exeMinecraft.exeNativeUpdater.exeMinecraft.exeMinecraft.exe

description	pid	process	target process
PID 4256 wrote to memory of 212	4256	Minecraft.exe	NativeUpdater.exe
PID 4256 wrote to memory of 212	4256	Minecraft.exe	NativeUpdater.exe
PID 4256 wrote to memory of 212	4256	Minecraft.exe	NativeUpdater.exe
PID 212 wrote to memory of 1468	212	NativeUpdater.exe	Minecraft.exe
PID 212 wrote to memory of 1468	212	NativeUpdater.exe	Minecraft.exe
PID 212 wrote to memory of 1468	212	NativeUpdater.exe	Minecraft.exe
PID 1468 wrote to memory of 68	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 68	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 68	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 220	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 220	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 220	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 4704	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 4704	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 4704	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 3752	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 3752	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 3752	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 3036	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 3036	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 3036	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 4796	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 4796	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 4796	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 1760	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 1760	1468	Minecraft.exe	Minecraft.exe
PID 1468 wrote to memory of 1760	1468	Minecraft.exe	Minecraft.exe
PID 4264 wrote to memory of 3032	4264	Minecraft.exe	NativeUpdater.exe
PID 4264 wrote to memory of 3032	4264	Minecraft.exe	NativeUpdater.exe
PID 4264 wrote to memory of 3032	4264	Minecraft.exe	NativeUpdater.exe
PID 3032 wrote to memory of 4948	3032	NativeUpdater.exe	Minecraft.exe
PID 3032 wrote to memory of 4948	3032	NativeUpdater.exe	Minecraft.exe
PID 3032 wrote to memory of 4948	3032	NativeUpdater.exe	Minecraft.exe
PID 4948 wrote to memory of 3680	4948	Minecraft.exe	NativeUpdater.exe
PID 4948 wrote to memory of 3680	4948	Minecraft.exe	NativeUpdater.exe
PID 4948 wrote to memory of 3680	4948	Minecraft.exe	NativeUpdater.exe
PID 3680 wrote to memory of 4024	3680	NativeUpdater.exe	Minecraft.exe
PID 3680 wrote to memory of 4024	3680	NativeUpdater.exe	Minecraft.exe
PID 3680 wrote to memory of 4024	3680	NativeUpdater.exe	Minecraft.exe
PID 4024 wrote to memory of 4416	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 4416	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 4416	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2260	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2260	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2260	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2348	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2348	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2348	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 888	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 888	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 888	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 4608	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 4608	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 4608	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2236	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2236	4024	Minecraft.exe	Minecraft.exe
PID 4024 wrote to memory of 2236	4024	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 3376	3032	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 3376	3032	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 3376	3032	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 4484	3032	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 4484	3032	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 4484	3032	Minecraft.exe	Minecraft.exe
PID 3032 wrote to memory of 784	3032	Minecraft.exe	Minecraft.exe

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
tools\NativeUpdater.exe Minecraft.exe Minecraft.exe.tmp --nativeLauncherVersion 1000 --nativeLauncherVersion 1000
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
Minecraft.exe --nativeLauncherVersion 1000 --nativeLauncherVersion 1000
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=gpu-process --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2016 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:68

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2416 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe" --type=gpu-process --field-trial-handle=2008,2456025297516743483,7035441654672536500,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=MAAAAAAAAADoACAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=1412 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
1⤵
PID:4384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2232

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\Desktop\tools\NativeUpdater.exe
tools\NativeUpdater.exe Minecraft.exe Minecraft.exe.tmp
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\Desktop\Minecraft.exe
Minecraft.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\Desktop\tools\NativeUpdater.exe
tools\NativeUpdater.exe Minecraft.exe C:\Users\Admin\Desktop\update_files\Minecraft.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\Desktop\Minecraft.exe
Minecraft.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=gpu-process --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=1980 --field-trial-handle=2072,i,13834938109984235552,4529343430985625433,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4416

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=1724 --field-trial-handle=2072,i,13834938109984235552,4529343430985625433,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2536 --field-trial-handle=2072,i,13834938109984235552,4529343430985625433,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2348

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2544 --field-trial-handle=2072,i,13834938109984235552,4529343430985625433,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:888

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3400 --field-trial-handle=2072,i,13834938109984235552,4529343430985625433,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4608

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3408 --field-trial-handle=2072,i,13834938109984235552,4529343430985625433,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2236

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
1⤵
PID:4248

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=gpu-process --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=1812 --field-trial-handle=1976,i,4442861713186516635,838270137666179152,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3376

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2324 --field-trial-handle=1976,i,4442861713186516635,838270137666179152,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4484

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2444 --field-trial-handle=1976,i,4442861713186516635,838270137666179152,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:784

C:\Users\Admin\Desktop\Minecraft.exe
"C:\Users\Admin\Desktop\Minecraft.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2516 --field-trial-handle=1976,i,4442861713186516635,838270137666179152,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
1⤵
PID:2364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WWYJQF1D\signup.live[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\HJ02XPFV\favicon[1].ico
Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\6btbyrx\imagestore.dat
Filesize
26KB

MD5
0eb9fed9fc9df45c67e4a04a29b0e6d3

SHA1
0071f65081a26f542c1a258500da03462c5f9cee

SHA256
071636ac17ffc75c647edf73e9785c54e68dc917fb11069ed9f03547e9f7a38b

SHA512
7df5b449d7ec4d944ecc9a4d7968a38e1612d4de9a5fcae373decd62cc7e6e517fbc6971f7755bc60308bd082505847ac69f46ea98502538b2440c560ab7ea4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF200F81F4472B5BF0.TMP
Filesize
20KB

MD5
6312da680d026941acaedb7f9d80bf1f

SHA1
69fafc16f3fcc97830c5acd5789a29ab003301f7

SHA256
e5a86756888315394388f3de89bc6b74dbd5c7e413278b7231f21638e6f001ab

SHA512
1341e8a12a56db611162df92c5f09ede320899ddcc7114c7833cc33c32c00954425fb96f22b39d68820860a561e95d8041c291fe25e81e7d0ac1359114a12d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe.tmp
Filesize
3.2MB

MD5
e8c86a94df2f0a4c5edfa59cfc420329

SHA1
4212cb446a2dce87225ca20ba45e10befb084062

SHA256
60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1

SHA512
273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef.pak
Filesize
1.9MB

MD5
fa6c54291dcc13acc9dbec30923fe503

SHA1
8f157cc1ab1c18bf47305543b149604797cd6587

SHA256
455dd904ba68305f45682ae9c776a87cb2cb67bbe2d20e13cf97a812b68cf5f4

SHA512
135773297e6481f66d53a6a6bb887e0e0ba17ded9f76e2cef2db48a095a4c301eda84feb46f2a44425f4d34accd72765ee324d30a0692aa0c6d2c513166d51de

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_100_percent.pak
Filesize
261KB

MD5
4cec40309dc9e4bf0f0cc915aeb6c9ac

SHA1
2da1b18943265f473f6b87b63132dbb2398ff487

SHA256
6267cb52b0ca5593cf402139e736eb4f1d6bc3f2eab4c6deb99934711050ef4f

SHA512
e684d4d735762e87c8556c164379f97f59b8b4077e2f4c49ae43610ca2a3994ad45839cf6edef4e741a4f1fb345413e4246fb5901dd52bd98c9a2f60866817c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_200_percent.pak
Filesize
412KB

MD5
50a6d9ab74ebfaeda5baa28997149977

SHA1
1ad557cecf3d54a5fbe471ceab189d344fef347c

SHA256
c8f7697bdb4aa19722b975dd2126baf8c2edb5c0a58e2d64a6fefa4cbb8335ec

SHA512
31647191b432f82ff24a41a16abb77512bed2f3105791079d795304452e2bff89f618202023fd133cdc79f80d02647093edebca9e43c19cbd4d2bed4c8d35180

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_extensions.pak
Filesize
1.2MB

MD5
c294094045246da46492204f2920d74f

SHA1
229367ac0be0a2da9d6338cba6f45c07f790140c

SHA256
8e8882c3d420231e1ddd1329e259cd8dc38fe392727aa74cfa4df57125d4cfb3

SHA512
03543e3c436a8b42b3f5bb942de468b4898172720ddef5597535b81347581ae0c89bf91e6bef3b91c796ca5bd393a865b2fa53ba70b2fda6578c640b14ab92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\icudtl.dat
Filesize
10.0MB

MD5
9732e28c054db1e042cd306a7bc9227a

SHA1
6bab2e77925515888808c1ef729c5bb1323100dd

SHA256
27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e

SHA512
3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\launcher.dll
Filesize
59.3MB

MD5
03e38e3ad8d0c8ad8652c524c8a747d8

SHA1
0ed6423e26978b7e4241c2bc6e1477994f1312d9

SHA256
371f989bfd012b243941bfa13cf30661c6014aaa3bf5b9bce59ceef950a7021d

SHA512
265f0d2887f8c56883a8345a983777a1b9955e1713feb4f7374eb4db8182578265517edc859aec792a02d9aeea7162527df139da474f3d21485154bb6a441bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\locales\en-US.pak
Filesize
225KB

MD5
16a6914c9637812257e28b2cc4e6d809

SHA1
82212a642c90b51b8f67e517ee8782da841b658f

SHA256
8fe734f556d97e7c07d02e839a16565f7db88ca7091ca3903a9b153a68aaaf72

SHA512
6efbab68c8b036fd73951295a5f65718003deea46db838f6f263133452e09be45ce006246850facbb1922766f42c2ce1796722cecfcc8495921a7bcd9402a446

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\v8_context_snapshot.bin
Filesize
167KB

MD5
cdeec3342ce88d4de5426032a6bf6a53

SHA1
b36ec3c3b20a7a06ff282d696f12b51904b073a4

SHA256
ca88a3c7034da1de52d35823fba0fe80ba5376ab70cdc1841e6aaf25c1f5dd6e

SHA512
54874cd76589124b750fdae90be75e1acf374566d56352c15dbbee98c095aad0e56db142952a808b08e4817bf5f8e176ffdc4ff79110d8661ee4f7ede16b2ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
Filesize
1.1MB

MD5
72e1747a895001b1a300ffcad1edc9a6

SHA1
111e67014919bf1a42859951abdd945e4080e883

SHA256
2bbf4862a5900db35050e1679e08bb91c879c112f3259bfbc483cb26aad09eef

SHA512
31af0b629fe79d6fcbdde4f7928c66f59773ad47971ca9f091f1e00e9e9f9c6ca254732040d2e1b764fcad2f2997c5e8e15247f928e97528b0bf36aca3be5ba1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json
Filesize
34B

MD5
e732343f87379d24890d51c562c11dd3

SHA1
ad4e67e70937491a988dc4ebf5c4e729962f2c4d

SHA256
d126884d48a4d27e8048590fa9f3c9c1df699b825b69cfe086d769d898289dda

SHA512
8f3ecbe891e30de9961c0b9c4c5e978f52d91748ab8a31d12c2e0e2297012209df9c9d9e8547f361f9d14e2c40ced3e2f40919e08a1aad6989cf1c0d61610e3e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt
Filesize
173B

MD5
9380cad055c204ff9b4cbce6572f9bd1

SHA1
bf91151d8670d8a840064b4b4cc03bfe59df655d

SHA256
68c4e8d75d65fa11c75b278b6f4415dd2100a65d9f25e1ffb16c2fbe41b3d8ba

SHA512
3a3a655422c2a5670439359e6a60cf7da73d4647fd3d5e1f704c9ae4ba9070d9bc8bd30817b1ec30b3dba6228e71b63e9472962258044b25fd6c0c9bcbdfb884

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt
Filesize
450B

MD5
ea145b6da45ef51163679b1fd303aa84

SHA1
701930bf9ed45086e55946a552f76ecb944bc5cd

SHA256
f26536994477b5cc403045ef176b050d25d131cd71ce8b5d8e81111ac218573a

SHA512
8c182b9a0591d0822b217b236b8689aeed8b8459d7af3dc2e3bb390618553a18e6acc73da6f02451ac3849d8dc8aadbc82f02e903b8b53bd2bee1de17627e21b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt
Filesize
349B

MD5
6c4090665e31926febfe96ff27dbcc99

SHA1
e9c82700c5121e03bb159df10ce52e1e614b21a8

SHA256
5afe0728d264fa8391d85ddd27bf74d68b7efea3ea02b6fd2e75cd3c627706e6

SHA512
0717fafcf9fc317bffabde7924268695846a4941f1a4e0087891d98a5fac64217f3d83e99d7dfa3356dd44dbfd0e445c174e4aac7a965b9e4465c26bb3ebf67b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt
Filesize
5KB

MD5
5303b01fb89af82c9cfb2513b60030e7

SHA1
6b47a517c37014b21313c737c7820ba5f64bd3c8

SHA256
c863d5cbcd819e39b40532e12b69358fbd18c1f0af59e367e3c576a0a28c536c

SHA512
c165b88d04bccbe7e92cafe291448aebac8a3a8c35e12f51dd3d131e17bdc91c6d157826d16eaf60221e957638244b2c9e1ab024a2e8200fc2022531c1871eec

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json
Filesize
954B

MD5
ddd9dc772c793b5c32a47d5e8c2997e0

SHA1
610004fdb9471239c9797a0bff05fe91d27cc436

SHA256
8b33efa48836d2f89212722365d05c0b7580e9bfe7e2c1555e62ae05c0e9003b

SHA512
a9a0c32725b4c3cc1a7434c16bb5cd0ae7167a9684e18295de8093dfa8d07e75228f5c6d94df8e2f8a10225b984077f7bbabf14a7713f2e4d58c1d9c0f631de8

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json
Filesize
221B

MD5
2b636fdf39c1fe9da2990ce1dce4ad37

SHA1
515b772e117e59c5fd41e8c704ad7d9e0703ab64

SHA256
bdae3672c09e5452448e3d429d5123cadacccfdd54d45a3f2794789f31b38d8b

SHA512
b562927e50038e5d47ebbb07fb7ab0bd2882bf4953dc72aee6df4ce3071735d36944a34fe763baf4a81db1c4434cfad45149d0b870c8605d5757264f2eaf1c32

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json
Filesize
221B

MD5
73ff3f55e7e4dba511bbe4e3990c5642

SHA1
9521295401d04206d82bd0cc9fe7879a203460bc

SHA256
5064f84888a22dd6c202f90df2d4e89db361a56bae3d08576762ed4d59cfc2a1

SHA512
ef17eb20e88fefb4494f550cbdb2572fbb5fe979ccb3c7a59ff9aeb82148f777ae0ccb5cc24e80de883813ebc8bb446fbed49998a501a97112d17e6adca5cecc

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json
Filesize
367B

MD5
232d2d56418b51e713b701934eb8b749

SHA1
58be4aa7ec98a477e9514bea2fbf613efdf701b7

SHA256
90402cb71ecdfd527333b8a7db5f0ba67d347fb417dfe84e795789b6d44e0120

SHA512
ed82ab193aad32ee0c9f13353e57d03083c5019f7a4a31ff4b6d6d92e077bff12ee43adfe7bc5053e8f208ff6d221979ec673b6febb277093cd0f5e5f6e5a65c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\treatment_tags.json
Filesize
518B

MD5
4a96536510bd25c1a091523bc52fc7f6

SHA1
94e501de146aebac93a854d1268f3a6dd8960c8e

SHA256
f841918e8aaadf3a1c55d579f5d4211edc4f98361f3a9a1c9bd97d88d49754c0

SHA512
ba9576abb6c0035a9cef38b78e32ad16ff2d7fea9053ea0601c72076dd7de51397503329ed5818ad1bb98aa4b3db8b18ad521b0b64123eee953bce0b0b172cde

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\updateLog.txt
Filesize
587B

MD5
4c547488d2a4445a500402448665e9a6

SHA1
8dd4111e4a03463cdfe6b3fa84a37e8a0567cefb

SHA256
a5b09da9d62299211bd755b873a9c501a8cccc9bf40db52106ef362c2b84c912

SHA512
24464dc4fc7b31308078ed67380792903c69ab90d97987409585a7f1efd23a0e0f310d9acd714f9eee1ee7ea31227f8d1ff34e748d817171936e600fdaf5c4da

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\versions\version_manifest_v2.json
Filesize
219KB

MD5
89830afd29dff9380c4d2da48802665e

SHA1
48d36d5543877a3f86cce12b7ef91bb7a1a19c3f

SHA256
4bb12387e27009481b11fff71b6507312a54f632105003c74c12367bb1746f1e

SHA512
04221fb0956939b14aeb4c9c1a800c1357cc004a07d9046cf9062e795d5551d122dc60aca905f739f20edac7cf479b5e11c2afd220e44939b0f348f69d06a7a4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network Persistent State
Filesize
194B

MD5
e9e8b480b2e5c91fa3572f0a6d4949f7

SHA1
36f6e62bfd0e5c3a2a5a11a183f98fd53731c57f

SHA256
727ff17c7670d111b8d91ed761537f848cfb6fc76d34b2b4d3a7ca3ef2a1eff2

SHA512
19957f4b3807b2fb0f17eb37fa1ebe0aa6fd871911cf80118f52b05d1f8d653f037812888b7504253706fb26f2162520e08158c2023ccfbb07b083901adcc704

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network Persistent State~RFe5b7a8b.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Desktop\Minecraft.exe.tmp
Filesize
3.1MB

MD5
e072d99744d11c4a4334ea9a35b2ab52

SHA1
a81acaa7c5e85551e5404d0706433c0f39ce7386

SHA256
6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495

SHA512
2659018f15cc40d9ac418da4070fbad39ba049cb9d918ae595f86b042aeb7088cc53e31a5a424fcec0f84e270cf1c9ba509ac2fbb54d49aef15f35e1ad161f5e

Download Submit
C:\Users\Admin\Desktop\game\chrome_elf.dll
Filesize
974KB

MD5
e080885e16b5ce5e94216b150d7d2a7d

SHA1
e86bdda23ff3f0354688ed8552eb758bbde3f2de

SHA256
cb0031a14f3dc53e6b409a28086f5792dbc27ebdaa0878dfcf86a66c9eaa96d1

SHA512
01b5438141b697fc16767830835a0694eec21847ebd70359f83fb216f0c0872055664d4151989a9ceb08689c151bd5790ff861057bdf4e79481fe6cebdc0315c

Download Submit
C:\Users\Admin\Desktop\game\launcher.dll
Filesize
18.4MB

MD5
01af631e9ceeb6463348de69d7a15a3c

SHA1
e249cee6b180531fc2eba10c8687f190c9b84302

SHA256
220fad0c42eacd070cf58d38673dcf404f7d402c1c8cc3bba3fb34b705aa261b

SHA512
1426711992095a15921a86b259895778ab0e2ffae4fceba2156fa66612d3766ec4923fa411e5a1f8142f03d01a989dfd523130b1a56d46764bf8bd4c9d1e78ef

Download Submit
C:\Users\Admin\Desktop\game\libcef.dll
Filesize
139.0MB

MD5
5a8ac90888b55a52a824fa5fe36b572f

SHA1
ad21c3462ab7afd23ff4c5b6326276adce0d82c9

SHA256
c59eb4d1fe15ed95e800d488e1ecf59d957268cd1dd1af973dd0511f4e3a6b4c

SHA512
8c5e5cd9f166170a513725e478c083025ba0764d436865a6e4cf68eb085c9de5f7dec0c4c18f8c570b1a8e154c1348eec19152a185b5e26c531d0d0e74bbf86d

Download Submit
C:\Users\Admin\Desktop\game\media\background.zip
Filesize
16.8MB

MD5
1228a2bc7b6ab6e165307006e988f891

SHA1
fb7d413ff2e7281a44c4b8a408439550386db431

SHA256
96046d1485c73fe30dfec21998564f53f2a264356df2107aa39b29d158641c72

SHA512
4019781d4547064dec280590724a426430f2244482f3b0a5d09da359c36bc9acdb104b75137e42c51615d6880ca67a042488501be5d6235fd41291e6d8945c27

Download Submit
C:\Users\Admin\Desktop\game\media\common.zip
Filesize
3.4MB

MD5
a8c2456cdfc07456d565265b10ae360c

SHA1
b61e326d8a56b9338ee6bb3edaf615dbaefc70f8

SHA256
ef55d0d0d7a2d63e6092e880b8ca32ced6c363fae6d3ba194360fdefcc96b8af

SHA512
0db91288f661129e5cdcb379c6477d1ed2c5b6dbc6b3ed50757d74ba793c8a996b933fae1a7bed28a230175ecae8c08ff50a2f391bad2d6e15104c553a9b1ec4

Download Submit
C:\Users\Admin\Desktop\tools\NativeUpdater.exe
Filesize
1.1MB

MD5
e042dcf0de9c23a6042679afef3d4c93

SHA1
d4f1d7f6ae8ff9352f6d02552c89f9e464334473

SHA256
f712277d4161b2e5ff0f1a8dad8ae825a8863c5e517f156369cff4e9770b1e8f

SHA512
e62d1d9e138ac6dc5ce5044c8ea315b075746aa6cdd5bc2e2d505ec8d0e53f916f9e69c7edd3dcd37b42b145c5de8cdd98f07328e97050371cd9830f49f2491c

Download Submit
\Users\Admin\AppData\Local\Temp\game\chrome_elf.dll
Filesize
810KB

MD5
4c8f4689e087a9843a79d6ec923f00df

SHA1
e6e37e19a04a55944bdfba6f9359bbe0ea8402fc

SHA256
8753acc450280e1c5ef5a09dac46d1fd873f1e66d771affc4b4afbfa3d59e3c4

SHA512
30b205bb4b391b23a7bb15248daa42af3ec34225d169a0d70325ea7e1422d298ea3376962e689311074346dd7aec3579789748e3aaa17b04ab72de6c0a0fc5e0

Download Submit
\Users\Admin\AppData\Local\Temp\game\libEGL.dll
Filesize
315KB

MD5
e646266652e470489b912c39d4bbfacf

SHA1
fb5af43ba527f0b03f6e5db0dba870df7acecf77

SHA256
e2b31cbbbd97c2d098a44acd5e1c84e092f4bf4c535fe6ebc3703a78387c03a9

SHA512
fe5ca9d6dc63ca6982702072aa34ada2d43c3c781e1fac09e324b17b3ed05bb8d203c3c08c0fe4aaf8985781933a8a3f2cd8e4928b0fe567c46a8da46f481b3f

Download Submit
\Users\Admin\AppData\Local\Temp\game\libGLESv2.dll
Filesize
6.6MB

MD5
79d62a3663c1963c90ed84045e0450ac

SHA1
cd3b444ec31e78c7bef960f91548de1e1f2ae487

SHA256
896cd68e51fb5c4937717e350b911d5dd18dc285f466fb712ccb0578fff1365e

SHA512
2da35a7db00ad3c22de448abfe3eb4425088b51db0f093dcfb0e934edee40567ebc8cd1bf0768bb1a43a397a49ce5d388edf2427fcc09eb48033b8baea918520

Download Submit
\Users\Admin\AppData\Local\Temp\game\libcef.dll
Filesize
107.7MB

MD5
ccb97167048a6c3928e0d93c2ee6efb1

SHA1
a3d60c190e97fc3e45d2de6ef0abf31c13393ed1

SHA256
1d0794f5029198084a19e690823ba72255baf52f05f2fa5eb734ec48adacd9a2

SHA512
9b5dbffb00b01f2a50c2fa094b3c67043c81e5b238df98df2b219e39d183a72822e72d7e51486dbd6156846350355bd5402890b6da46ca01e405211367ebeeb6

Download Submit
memory/4924-1167-0x000002F281C90000-0x000002F281D90000-memory.dmp

Filesize
1024KB

Download
memory/4924-1182-0x000002F283170000-0x000002F283270000-memory.dmp

Filesize
1024KB

Download
memory/4924-1063-0x000002F280970000-0x000002F280972000-memory.dmp

Filesize
8KB

Download
memory/4924-1067-0x000002F280990000-0x000002F280992000-memory.dmp

Filesize
8KB

Download
memory/4924-1070-0x000002F280A40000-0x000002F280A42000-memory.dmp

Filesize
8KB

Download
memory/4924-1072-0x000002F280A50000-0x000002F280A52000-memory.dmp

Filesize
8KB

Download
memory/4924-1074-0x000002F280A60000-0x000002F280A62000-memory.dmp

Filesize
8KB

Download
memory/4924-1076-0x000002F280A70000-0x000002F280A72000-memory.dmp

Filesize
8KB

Download
memory/4924-1079-0x000002F280C50000-0x000002F280C52000-memory.dmp

Filesize
8KB

Download
memory/4924-1082-0x000002F280DF0000-0x000002F280DF2000-memory.dmp

Filesize
8KB

Download
memory/4924-1087-0x000002F281320000-0x000002F281322000-memory.dmp

Filesize
8KB

Download
memory/4924-1091-0x000002F281F90000-0x000002F282090000-memory.dmp

Filesize
1024KB

Download
memory/4924-1101-0x000002F280CC0000-0x000002F280CC2000-memory.dmp

Filesize
8KB

Download
memory/4924-1104-0x000002F2809B0000-0x000002F2809B2000-memory.dmp

Filesize
8KB

Download
memory/4924-1190-0x000002F283480000-0x000002F283482000-memory.dmp

Filesize
8KB

Download
memory/4924-1185-0x000002F283070000-0x000002F283170000-memory.dmp

Filesize
1024KB

Download
memory/4924-1037-0x000002FAFF800000-0x000002FAFF802000-memory.dmp

Filesize
8KB

Download
memory/4924-1035-0x000002FAFF5E0000-0x000002FAFF5E2000-memory.dmp

Filesize
8KB

Download
memory/4924-1039-0x000002FAFF8C0000-0x000002FAFF8C2000-memory.dmp

Filesize
8KB

Download
memory/4924-1170-0x000002F282700000-0x000002F282800000-memory.dmp

Filesize
1024KB

Download
memory/4924-1171-0x000002F282E90000-0x000002F282F90000-memory.dmp

Filesize
1024KB

Download
memory/4924-1172-0x000002F281F90000-0x000002F282090000-memory.dmp

Filesize
1024KB

Download
memory/4960-1005-0x0000027767000000-0x0000027767002000-memory.dmp

Filesize
8KB

Download
memory/4960-1113-0x000002776E360000-0x000002776E361000-memory.dmp

Filesize
4KB

Download
memory/4960-1111-0x000002776E350000-0x000002776E351000-memory.dmp

Filesize
4KB

Download
memory/4960-986-0x0000027768100000-0x0000027768110000-memory.dmp

Filesize
64KB

Download
memory/4960-1316-0x00000277670D0000-0x00000277670D2000-memory.dmp

Filesize
8KB

Download
memory/4960-1321-0x0000027767030000-0x0000027767031000-memory.dmp

Filesize
4KB

Download
memory/4960-1329-0x0000027766FF0000-0x0000027766FF1000-memory.dmp

Filesize
4KB

Download
memory/4960-970-0x0000027767D20000-0x0000027767D30000-memory.dmp

Filesize
64KB

Download