hxxps://web[.]archive[.]org/web/20191103023406/hxxp://assets[.]minecraft[.]net/1_9-pre4/minecraft[.]jar

Resubmissions

02/06/2024, 23:22

240602-3cqz2aca56 8

02/06/2024, 23:17

240602-295zsaaf8y 7

Analysis

max time kernel
300s
max time network
283s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://web.archive.org/web/20191103023406/http://assets.minecraft.net/1_9-pre4/minecraft.jar

Score

8^/10

microsoft discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MinecraftLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MinecraftLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MinecraftLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MinecraftLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MinecraftLauncher.exe

Executes dropped EXE 10 IoCs

pid	Process
3216	MinecraftLauncher.exe
1304	NativeUpdater.exe
1488	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
4000	MinecraftLauncher.exe
3972	MinecraftLauncher.exe
1620	MinecraftLauncher.exe
640	MinecraftLauncher.exe
3568	MinecraftLauncher.exe
812	MinecraftLauncher.exe

Loads dropped DLL 32 IoCs

pid	Process
2256	MsiExec.exe
4208	MsiExec.exe
4208	MsiExec.exe
2792	MsiExec.exe
2256	MsiExec.exe
1488	MinecraftLauncher.exe
1488	MinecraftLauncher.exe
1488	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
4168	MinecraftLauncher.exe
3972	MinecraftLauncher.exe
3972	MinecraftLauncher.exe
3972	MinecraftLauncher.exe
4000	MinecraftLauncher.exe
4000	MinecraftLauncher.exe
4000	MinecraftLauncher.exe
640	MinecraftLauncher.exe
640	MinecraftLauncher.exe
640	MinecraftLauncher.exe
1620	MinecraftLauncher.exe
1620	MinecraftLauncher.exe
1620	MinecraftLauncher.exe
812	MinecraftLauncher.exe
812	MinecraftLauncher.exe
812	MinecraftLauncher.exe
3568	MinecraftLauncher.exe
3568	MinecraftLauncher.exe
3568	MinecraftLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ta.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\common.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\.version	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\chrome_200_percent.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\da.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\bg.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\en-US.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\fa.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\pt-PT.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\sk.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\zh-TW.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\chrome_100_percent.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\launcher.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\background.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\upsellcontent.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ja.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\pl.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\dungeonscarousel.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\en-GB.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\es-419.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\cs.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ml.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\animation.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\fi.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\lv.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\id.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\resources.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\vulkan-1.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\update_files\Minecraft.exe.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\es.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\mr.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ru.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\images.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\vanillamusicbeats.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\vk_swiftshader_icd.json.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\libcef.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\hi.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\hr.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\lt.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\sl.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\legendsmusicbeats.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\realms.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\snapshot_blob.bin.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ca.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\he.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\it.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ko.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\ms.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\pt-BR.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\d3dcompiler_47.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\fr.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\nl.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\sr.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\vk_swiftshader.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe	msiexec.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\fil.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\th.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\anniversary.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\media\onevanilla.zip.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\swiftshader\libGLESv2.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\icudtl.dat.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\am.pak.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\libGLESv2.dll.tmp	MinecraftLauncher.exe
File created	C:\Program Files (x86)\Minecraft Launcher\game\locales\gu.pak.tmp	MinecraftLauncher.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6A960B34-5197-49DE-AC60-1177DFE24976}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI620C.tmp	msiexec.exe
File created	C:\Windows\Installer\{6A960B34-5197-49DE-AC60-1177DFE24976}\minecraft.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e596131.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI621C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6470.tmp	msiexec.exe
File created	C:\Windows\Installer\e596133.msi	msiexec.exe
File created	C:\Windows\Installer\e596131.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{6A960B34-5197-49DE-AC60-1177DFE24976}\minecraft.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9c3b1b881b13bb50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9c3b1b80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f9c3b1b8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df9c3b1b8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9c3b1b800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618441592337699"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList\PackageName = "MinecraftInstaller.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\43B069A67915ED94CA061177FD2E9467\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\ProductName = "Minecraft Launcher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\Version = "33554432"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\PackageCode = "001099CBF912E7A4CB6D8BF85054747B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6\43B069A67915ED94CA061177FD2E9467	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\43B069A67915ED94CA061177FD2E9467	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\ProductIcon = "C:\\Windows\\Installer\\{6A960B34-5197-49DE-AC60-1177DFE24976}\\minecraft.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43B069A67915ED94CA061177FD2E9467\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	MinecraftLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	MinecraftLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	MinecraftLauncher.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1680	chrome.exe
1680	chrome.exe
5036	msiexec.exe
5036	msiexec.exe
2512	msedge.exe
2512	msedge.exe
1800	msedge.exe
1800	msedge.exe
4268	identity_helper.exe
4268	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe
Token: SeShutdownPrivilege	1792	chrome.exe
Token: SeCreatePagefilePrivilege	1792	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
3864	msiexec.exe
3864	msiexec.exe
1792	chrome.exe
1488	MinecraftLauncher.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe
1800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1584	1792	chrome.exe	81
PID 1792 wrote to memory of 1584	1792	chrome.exe	81
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 536	1792	chrome.exe	82
PID 1792 wrote to memory of 4272	1792	chrome.exe	83
PID 1792 wrote to memory of 4272	1792	chrome.exe	83
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84
PID 1792 wrote to memory of 4352	1792	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://web.archive.org/web/20191103023406/http://assets.minecraft.net/1_9-pre4/minecraft.jar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9303cab58,0x7ff9303cab68,0x7ff9303cab78
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:2
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4248 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3304 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4144 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3940 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4308 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4632 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5432 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3240 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4616 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5660 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5608 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 --field-trial-handle=1908,i,5943858268240392039,265584667457930553,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\MinecraftInstaller.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:3864

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03CF21BDC121AA0CEB5D7EFE904D6AEB C
  2⤵
  - Loads dropped DLL
  PID:2256
- - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
    "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3216
  - - C:\Program Files (x86)\Minecraft Launcher\tools\NativeUpdater.exe
      tools\NativeUpdater.exe MinecraftLauncher.exe "C:\Program Files (x86)\Minecraft Launcher\update_files\Minecraft.exe"
      4⤵
      Executes dropped EXE
      PID:1304
    - - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        MinecraftLauncher.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:1488
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=gpu-process --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2216 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4168
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2576 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4000
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2584 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3972
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2728 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1620
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2768 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:640
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3568
      - C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe
        
        "C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3748 --field-trial-handle=2280,i,18431433831282559357,12886466781374629059,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sisu.xboxlive.com/connect/XboxLive/?state=signup&signup=1&cobrandId=8058f65d-ce06-4c30-9559-473c9275a65d&tid=896928775&ru=https://www.minecraft.net/login&aid=1142970254
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff937e246f8,0x7ff937e24708,0x7ff937e24718
        7⤵
        
        PID:4644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
        7⤵
        
        PID:3796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
        7⤵
        
        PID:3144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
        7⤵
        
        PID:1196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
        7⤵
        
        PID:3164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
        7⤵
        
        PID:940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
        7⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
        7⤵
        
        PID:5092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
        7⤵
        
        PID:3184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
        7⤵
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
        7⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7624157450302645427,10773841885968277954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
        7⤵
        
        PID:5316
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96BD78D6DDAA400E9272B629310D8E3C
  2⤵
  - Loads dropped DLL
  PID:4208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CAFEDA192E6FF35C13098865F8B5A527 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4196

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
1⤵
PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e596132.rbs

Filesize
8KB

MD5
c9b923f7d8bb2aee29b6498ee100da0b

SHA1
514773902be3feede1f6d7a82b855cb55a3ccf5c

SHA256
04972e2ef05ece0788025fda4737fe006517b481af023203110cadef488dccef

SHA512
9de118fb8cea03422abf897b8c882ae213195919e290503fdf6f75af8dac5b86aca0e12d4a962ecdc1895dcd84e97e57c38921ac00387606a20ba9a06f5533c6

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
3.0MB

MD5
11a4bcd0c92d0d973847450bbe46c6bb

SHA1
f1229f3027424d650a0de2d6999626585539b2de

SHA256
6cbf77ad3d9c53860a353c9580c49ac81e6d26c93394347371454df6cf3f2ab6

SHA512
e33ad661735437db39e1aafa2d6c167e96582e240e4fa4a5ecac829e5a693e471b16be6d911a7937628f0c210a71473800c081ea5c061fc0c7fa98662554d17a

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\chrome_100_percent.pak

Filesize
620KB

MD5
e05272140da2c52a9ebef1700e7c565f

SHA1
e1dc01309fca499af605f83136d35e6d51fcd300

SHA256
123092a649b8def6efca634509fb20ba4fbf9096d6819209510b43b5f899c0a3

SHA512
476907363a0d1e1bf81d086aff011b826fd28a885e2eabd2e07e48494eafbd48d508b1a9050efe865585f7c4d92a277886440876846cba8a2226033ff35a7a81

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\chrome_200_percent.pak

Filesize
933KB

MD5
0d362e859bc788a9f0918d9e79aea521

SHA1
33abea51f76bde3e37f71b7e94f01647bb4dcbd5

SHA256
782f475d56e62c76688747a22ba4ae115628c5c3519c3c1e3d1a51a4367bfc28

SHA512
37ca08bbe5525d0f2d45a9fe65a45f6c5d8366330fc60304822d4c7470dd66b8733d92803ce6aabdf4175ad0cf43d6e4a9ff9d4e49ff89d8eddc5f7083e7f067

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\chrome_elf.dll

Filesize
975KB

MD5
077cf7b55f33077b26258d427eb35cbf

SHA1
707f227dc72008860655d98b56db52239691c128

SHA256
68b8b90e78d9c88d01a5298bbed536ae30f08b4fd4a188c0ab9d21c9894359f4

SHA512
418b1fc661715a562fa06b8ae6dbc56ea201c35bf8c776cc230764572c4e1b1fdb2054647c8bb66a4ee181dda8184989b794b4195705966936b0990584b4be9e

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\d3dcompiler_47.dll

Filesize
3.9MB

MD5
d015c13bc7b1eb3a16c4ccedea833828

SHA1
9f85a04f405f797d62767a33f2b6f1aa34ab3b10

SHA256
5605f1700180489ea4ddf906f2ea9c45c4662cc853b044144e0f1b969b1f6c91

SHA512
ea7985f4139abd875a322dfd1267b901d07a42da600c61577c0a948637484be63b914e7546e77a7c20a5e308df7623af4959dfea3c6957d9a4551444b192d68e

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\icudtl.dat

Filesize
9.8MB

MD5
d866d68e4a3eae8cdbfd5fc7a9967d20

SHA1
42a5033597e4be36ccfa16d19890049ba0e25a56

SHA256
c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d

SHA512
4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\launcher.dll

Filesize
17.9MB

MD5
3f5b8eff84c27a3a01856486b214a8fa

SHA1
29b042407822b6c533cb021c37b193aaddaef02b

SHA256
4aa870aa33035e5a350deea9f471e34287935c14eada65a8054632a6b4069d97

SHA512
9f3aaf05cbbccfe20cc18bde534b548c9f4d2aa86ca49fd7611f4e53d9941ed900268a4909e41e78a3620bc9cd2c68a5e1933d0900cfbf507dbeb915a6aa97c2

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\locales\en-US.pak

Filesize
296KB

MD5
99b4fdf70abc76d31e44186e09a053a6

SHA1
fb4192460341de2a04127f1e7fdf5c41b12ca392

SHA256
87dc8b512fdb79d381db0577961967ac2968a902f4914b6fd3bb59ef84a149fa

SHA512
d84b2c0a1fb32515e45bfb922f14a7134ddf01c62ec1405f2d5c7e54a8b4993e943333e3a69905856215a51b3df64f2547128bd0094b70280bb105b4444f32da

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\media\background.zip

Filesize
16.1MB

MD5
fa7d148a1b6dde6bf4e5fca1aa114bb0

SHA1
3d7aed25cb2668e0bf6a330b7f2cbb18062b2e7a

SHA256
b40250a7e0ee006cd91d290355ff66ab005ab0b876dbe3448887750de92d2d58

SHA512
3b5f0ca7d443ab1ad1643c0e65036679201351d4b6c5c765d71d9948b19cfa1f6afe2c634d2d4ca323bc0697241af84dcc69820eddfb6d8b1827ad441a3d3c6a

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\media\common.zip

Filesize
1.4MB

MD5
3dd489686eab0017ce987bdab1f76aa8

SHA1
f0de33e8926af056c309d6309bb14fa6f3b96c49

SHA256
0e4ef157fec67b4cb6dc5e2a2cebbaf14752e5b84c083e7b6bcd6c4767477e93

SHA512
813ac0161255b1daf9ef63bae6dca5bb4b70e1f2bc6b886d4a8cdbe38c83212ca686a426a90710c662918ee4b08a13cf50a03f317f0ef9dea93570e83344e5c5

Download Submit
C:\Program Files (x86)\Minecraft Launcher\game\resources.pak

Filesize
6.8MB

MD5
5ce4d6247db95a54407c3af3bae574b6

SHA1
0fab5ae803188ca76e82532577ee0225229924ca

SHA256
a5cfcf574081a4a7c4cb3f0a29706f55061e2ff1655c3aeaeea8b6f63f0df35e

SHA512
6b6264ddecb827004e5dceca6e5c959858ea54fa9c668ea96a9290185462d2d931e687e233b4d9da8a0f7de3d9935daaa21bc73de0a87142856c13bb55801244

Download Submit
C:\Program Files (x86)\Minecraft Launcher\tools\NativeUpdater.exe

Filesize
1.1MB

MD5
55bc64c641938f7cc3a8ae66006da2fc

SHA1
2635c35a18e3dd562f4ebc2bb18aa57c6a21a055

SHA256
480eb87aa849add7ff8fda5b32f0af46027d208a14c4642d9ce3c214ffc7ca52

SHA512
49404d80750aacf58ba72e26d3942354521d8695452dd1d4901b8abaf07beaa3b280b51734cd9ea4ac25fbe0b2ba53c831a7c5ba01e5993957ebcf4d2adba757

Download Submit
C:\Program Files (x86)\Minecraft Launcher\update_files\Minecraft.exe

Filesize
3.0MB

MD5
3399f70b5449fdd11add1feab8dffa0d

SHA1
d9d645586c3a45c0d0bc3ac86137b4c8df548102

SHA256
7f0468320fe685a443b1baa86c647eb1f643a55b69d49dad43e67fb18980cc3a

SHA512
d6bc8a9189db0508410982691debb98fed77c8f8090978f5b8ca2628b3b5fde8b0712dae0b37aec774d96c90172c1efe327c3ab477b09b7b8a650f81dbdc87a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c1539c007958d7cd_0

Filesize
339KB

MD5
8292ed9f2a97364bde977ac52306eecf

SHA1
d96eaea85b31cf4ba9d95cb9bf4bdbbb3ed68556

SHA256
0304266d26d2aed456a33e648b76b69eac4c89a20842403622f7ce49a4f8c789

SHA512
3013a5e1b6221481165bf069583e599bf01eb652bdb255331859bd34c7c371828fe44ba51387a3f8f10f26177b82f4de539786ceaea9b8c2ae180373ca86cacc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f8aae2cc087fdba3_0

Filesize
289B

MD5
1455ea9f259ea938bbca01cfd7ec972a

SHA1
4781d5876eb794609dabbf67420e671bb6296936

SHA256
2277b158b0c11d8a244102898e46bf98cdebb86051352bb186a7536725aedfa8

SHA512
1fd5044117fc4a11be8d57bb1cda1742c1e9f3df62954bb9e5e5d2bb9f97e5fb3d3070573538efe83eeab0cae69038c4d148e19372ef6312717773047dda63ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
501d32cfdba4cf8af6fce89589d80aed

SHA1
d2109fdb8bed93d670bcd9727b8115c17f717faf

SHA256
55208d71eee8eece8b81dc14cc2767e85e78c7d9c2a8ccb71e4ac8aa37069683

SHA512
b0479d7099ca0f8bf722386b544baa322e1d869252f6779c2234789dbefcd745d0c8d80c8309fd29ddd72d9368550cd364c2e7a372a54159b1df9ba365414c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e8d406f507621e5bae5c088078cdc8e7

SHA1
7ebe52699e84acc9e9c384e1ea7634dc14257eb7

SHA256
00bdb770e54e4f26985592af2ebe2e025b8f3dcab0da73f23ed56a52954d5c61

SHA512
4718897cf19c364a06ccc152b896216348e1b313fd9fa5dfc88b2f64cd3d1972e1f1dd74312866ca24dcb9e748cc97f76ee64f6a00268b18cf56bdedc088e828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
c4d0c235430a47500ac52018ba072691

SHA1
6a983735562a62ec8b7416dc50b16d2eaebb44c9

SHA256
a5705b8582e1e69f8018645b6fa82876cab4e4510239df0039fc5ef02c77b2b6

SHA512
c9b80c688f2316121e9d235ad5c3cb8fc4766c6e323032734859c67fa70281d1fe1f79c4e8cbbb9db0bd9ae4dfc77748a7e579d27d5a6ab5fbfb95ecf4fc404f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
6e75f61eb46eb912c8e836c568c1727a

SHA1
396725b824654b398dc1071bc318a5c43e297693

SHA256
02bbe95aa0707cdd2732906859a7e004376d372b4bfbd009d1d801b5cbcea6d3

SHA512
8e0cbcbb4af27aa968406c2fe4381f25b6c17ca09c5227aa05b4f08ffcb23c6f12c21f094d7c3a096aedd0fb25973f23c1e7f6300612bcc36efc330f27bd9ca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\238fc7fc-d33d-4f70-a904-be815b140391.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5204f721a0a05a49c94feea36a13c1ab

SHA1
d93382a40e70ea17cec9bcaf2d66714f3c0b83fd

SHA256
422bff03f4504c4d43dc7fba7da6b101c66f67c59c9d048330f0d86678fdece8

SHA512
f8e2f554ad0c9fd90a7c1690ecfacda2e5a581829cd23c2d9de639a2e2b450e2a2fa79cc5d5e18e1342c450cee274c073b38efb6f64faa949cb53d0468068204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6f235d4bc1db54d9247c6367c0981346

SHA1
13539c1d01f6870275be2b078ae0190f706e5b93

SHA256
8ef6fa7f34eb408e0c607762a1d62990fd1f99b6437e615d155eaa338445d5d0

SHA512
747b40c5eaef69fe851635ccabdc954cd7d1df75a08f4ff1208d1ae00c84707b393fe14dc7da013defb2ec1d075206989e182df105db81e7146b72861e2d7af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
2f6ae045dbcf54597cde1a17381d16ba

SHA1
df26de1316dcb60fd7390eb0ea8255bf5a6ae814

SHA256
6b8b2de3a017d2f86bd0f48129c7021ac3cb08042ab5c6ff89d4f520e82e26a1

SHA512
8a69de9ad75a3e07f8516f3a6822c961c27c6ebbc46c95a32ea37607bc1d2fe317983294ff0b0b8404c69cb5859589d7502bde5d181c65792731a96be3de9245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
37bd7c6fd8c0b0f1bec84786b22d73ab

SHA1
d767d4c5c9cccc4943e78d12425ad5ab49ea227c

SHA256
af6b5694776014d23f1a92e08fbee4fbbcd7b30cb33f2381041194a6ef6c10ec

SHA512
27505c6174ffdf2567a1518ee1a2420aca94af96154821d6fc40755448bb92b4244627201d88d42c8d079f57bce497287a3a16cba7116144fb48c816ea57dad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2194af6cfb5008a78038cac07861749e

SHA1
011695c6cc136d5e13073fa6375f4e0ff30f87e9

SHA256
ca957725c0d24bf78295edb1fed38cc273366398dc2fa2fa352151eb3bdce56a

SHA512
2118dfd2e8b9fa6eecf7b7dd1c9aab5ae7078a2a70197e935bfec0f9fa2dc162aad10033255eaa3df6d08cc492914d1a4e0820c049fa3e6d3eeea7d413591ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a25137af40e4272f6dbfe5cab279061b

SHA1
33094b989502fcb40eb42650b489e2733c3347f2

SHA256
95ceb0f8c3f3ba43002d045fef33e432be621b2b3a577d6d1978390b554afdfb

SHA512
4361be04d59287ff7cd9a759a49087c40315788bca80974c5d815c4f1c52c30477de4c62e82a7d4a9b35a2f60bddd04f1156721e8157fd1b38e3cd7ef69b6dc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ce73c3f67a0835d27f67be8f840d4aa4

SHA1
b7c643c5aabaea1b9d170334d5637195906df023

SHA256
541cac744d05a428cffd5132a5f36a411b085e7304b131e4a6df39de668342dc

SHA512
a499c2d59c3ef8ee8f1f3e77ea4ea37ed6b04756aa03431c93aa86e757f8feed593dcbd79d62d57155f990af32fabf74210538470e7b629d8bb29892d2ad74d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
02a82ac5b7642a8c5b880b6e70da456e

SHA1
e9615bd1736fa5f16701657740e66a3603a4c873

SHA256
d5fdcd18dbd9b3f96aad42333434fe5a0977e56ee377c508e8891f8486ffa7d6

SHA512
dd9efab3d752ee06378fc490d25846687e283efce13a19bea76db29eccc32852a45c2387c19c8f2f96e611b81611b2591a9d52f1fba341cd8f766cf376c2bc0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
79ebca94c48e3d66c2741b345681941e

SHA1
61241b99f7e38554d7cf2d96b3deeae63bbd055f

SHA256
01eaf5c93108f0d77a5ceb027daf8cbd8c47eb0748a1b5a60194575d8f73c30a

SHA512
f69c971eee6de3dcad7669dcacd4236b09e3a6409c064f51a143a6a161382d04ca5ca6634f5a59d3baa1a65d4c728bc6aa6a0fc321310e6f890030de60b4be9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
1ab9a791bad137c1fd6168dcc7c99d76

SHA1
978c6c4cf6c0af066134e70915c0b77dd29ae344

SHA256
200666e6c995807169ccb19afa8ed2476625b79ed5537ad06cef8cc18a809108

SHA512
87f7ded8a66a190eb5c6eb580f62db161969f4efebead41df4b347d0732b9181ab3b4be2637909735c27cc988b321be7953e24e67b425ebcdf77d6906d52d4b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
abf4585081a7aa0a302c5a0c67190f7e

SHA1
c1f20ca4b48de428daec6a5f43d2c7cf8d8bc26f

SHA256
b451f352d36f44078462e1c1dd827ce28cbe835b1ddd3ecbc5deb974a56c96a0

SHA512
aa2067ffafc6dede9f239ef1aa9f1d46d6963adeb83ab9a088433b320752f6aeb1e5afc4efced971d0d09ea92b836955823e42b7dc42a03d5dcef92323129487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d4077dd36590fa5d7c13b51803b23993

SHA1
96e4e59e05b50d06cc264d6abd9f044d03fb3899

SHA256
6d330479b748633675d690efbaa17b1c2fee92dcf95b390c1444182da4f86b7d

SHA512
6e32807214a95e2f7c98fc8b94d9f004a0a10e819b4a04c802e7babf1ba5d3262be69a50960bdfa3bd00f023e6e1ae2a017ffcb663a6dfdd3d1af85d61dbbddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
70949f583b0a8a35ec36d475c7b5f886

SHA1
fcafd28431c71a1a4701ef7fbe4e273c493b04a8

SHA256
b46713f4ed1973c18347a79394de143da7d9cf58aaef44d9daf85160b90c74b1

SHA512
4e5710556932a1f8ac7c739c62b7533c90c28fd2ce492821ac3832d7f0893add0b0bb02fad461e575d8b466400eb816ca19249a5249ca1a2e5fedc6da43dcf78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
76c6ab5a9ed2e4dbf94b36c76ec0c866

SHA1
6a9305802d4c330f0d335b75daa7ac098399f1a6

SHA256
d49db7c41da02d880b4f5b0e953aaba118de243b4321d669f596ea8f05b1fe13

SHA512
78166717838cbd2cf0319e934c9af60db57181e829be78cb7c0fd91975adc2e63a455dd63fac3431b5f53f418893cef2b1c7ad2b1921fb7eac0a6339f42e1c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
42c197c40bb24bbea864ce5c1d535455

SHA1
9c87a4a50bed64e9213d9883967682f8ce76964f

SHA256
29db1c8a04cd37c0932a9e09df57ed9d617cf21d14ff5d0c3c270b167176ad2a

SHA512
430531a66751f11c75b99e82b250835257e4483c110687d18867ec582e581f5e99f8232ac05b6df060a9c8c4ef0ca08ac3ac7d03dbbb3bc21b65dfceaff9058e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2dd106e6474a2d24fc11bc5c6f12fc41

SHA1
e600a68a80969e2d7184e149e6c97a0874a8fbf4

SHA256
1fa94082d77ebdedfbead9a9b5a830c14f2a3cd377435f5767bd5964d7571981

SHA512
483984c74114c5ebd7e63f269fb45e3e69be285fcd82624bb2919f093810a781e331b7e02403c724e857f599355c89618eda4c850c88ffcbe17bce919f86feed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
849a020b1f400bb3fbb442a5bc56b94f

SHA1
ce32350c4ad4a27a32812787ab874717bd0da839

SHA256
116fe32299a9a569e7f0bd7c2486770a6ef7f13e72257f8345d5bf14b78156d3

SHA512
a69b1a4d8be5d43410d87811a48b9c9d9a86e9be6c96de372e02c5e7d998cc7fa20d3eb2d44289d219ec7894c284f966a29e4b3939347f70a45bacdd84149b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0500af6e76c81ecba5d78ef2bce8ef5c

SHA1
e87082763c3142afc6f0c1324b32abaccd403191

SHA256
34635292f9851564084bf47912d31eab07c22f1cd0826076f26fef2415d04f0d

SHA512
4c3e85ad1af17c9e6f337b8408f7a1a31e4688f9b5e8534e037b3eba09323a3cb7ee374236ae4ffafdb64ee8956db61cd79a840dd2aa337d3a5685e943092ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c0897bba5eb23d6d420dea27fa34ed2b

SHA1
c4f9f1504885f3a436af3a24c6d3f878d8213d3d

SHA256
99c177e3fb46cff1df6c85a549f2d2b323a2805e5538e972c588793ffb290832

SHA512
eef88029c265253406f5508a3fb5cc5373d8fbbd9a266bb3ded9b697a931ef35c94e92d8d0fd8321e5096c93db99a187e227e5f4742551f62ff4eb45ee13bb93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58721e.TMP

Filesize
120B

MD5
b6ca73f3ccfbb625af0100bac573f290

SHA1
7e7bb86f3efad926a6276c6a7ff8cab8459ff086

SHA256
af1593c6ff549794ea65b3629eb6ba4a9c9a24eba249702d0c84c5e886be9e9e

SHA512
ab275c20a7945588d9e978548bde6ac39511267d2bcf7c4c0edd6e1dab7834b70e9a829cc697fbf48b343a58a6ab1a80fa28ed093a7446c1ac41f7e7dc0e83c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
73f22f24a3c3fda221ffc717799eb71f

SHA1
56a014cf1050d4029fc18c94ab503e6bb414216c

SHA256
cc72953c8343e20d6ed1d249a91c8a3050c44f413ee27ace7cac83447ec297b2

SHA512
095a6dbe4e3c5d187fc260a73d846907bb764fc479041091d03f14918540bd8e24d6da5712b54eb6006c9672a1be4c4fc5ed7c78015e681e34e5441ae87353ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
45f446316730bc7237a02233279a16ca

SHA1
9d958dd6e2f00aeca59794372d7d23e80559e80c

SHA256
c82a35e018b101dcd0dcf9a3deee8af84bf4a4f088468aac97dfa510760ff56b

SHA512
1860c04a6b36295829d5fb4d98b4c470f1f4a8aaf29ba5140b9637ce999da20bb459bc6295b6a7e6534f39af735014d8f5f312e35f0dc7ff81257d3d1b094c1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
1386db97b980a39714cfc3e8197cc545

SHA1
cab14d94f4b0d8cc915fdeb3b2b318c1c562ad2f

SHA256
18bf860ce12e8f603d9cee3ec3fdf3a3f6a8a66e0715ab7069dd6811b35bf7be

SHA512
f309e3b5bd00c89a78ece277076b285078b79e97c578bf7951f891adf7db9445d701a202c61f4623f152aac07715fd27354a061119e6f75c7cdfa744e3f42d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
75a6534f0d72fcd5af0275cf1fc12d26

SHA1
9b3349c5f3e434e55e53523a2be882ef3434a2d3

SHA256
83d6e62fd9174e7cfd04e29fd821af552824bd6459c174c36bfea27d878fa3c6

SHA512
3d61f6bb2dafd41553d0bda7050b6552bfd5e39fbe6b9c8d73e8c49f2cccc42b40375a89926275dce554b5de2287730adc285a647921969742bf289ad4db0c46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe593abd.TMP

Filesize
94KB

MD5
b3b15f2b06aac470638d701771e855b4

SHA1
17af3ed9e937a155c80e3e57b3e82eb19c07f625

SHA256
94a454d15a3d10b724c5663630807f462571fe51d165f1f5df6f3dfb5ca3da57

SHA512
5f9a0611aac633fd8259403899d337191e7ecde031304e569525049cd5d0a32b1fdb194cc8bfa58a23535fc7c79ef92ecbcb42a6fe96dc740054d8f3624c7dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3d3069d8-f8ca-42a2-9d30-c064f11a5720.tmp

Filesize
10KB

MD5
fc8ed59f88b91c47631c690f4e2560f5

SHA1
b337c26871e0c69bb025689d60e8c883595b12b7

SHA256
48ccd4021c87580c3715b9b8601cf473ea45c2b5e706648aca7ea06422813bbc

SHA512
a614d5d83d599c715381b33b7bc7b8127df3b34cfc85bb9bd5611d1e2c69797a2591b1f40238771076ab070344e1607ff9c81678aadd41f35d31f99ca62a6457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
236KB

MD5
b46031e02b69c55b43053aedc00e59af

SHA1
3b4f355a7ea1d6f0da5f117335499489868087d7

SHA256
296d5be0236dcc1d7ff8d3d17a47a698c0d51968c9e4907123f88e21c14e0840

SHA512
a4fd995debf4369f826dd4320c169394a6c76e65036410261bd00e025682195847f9e26f6b498e90fccc7b054f52af277cd17944f14e050bc930e3d47c8a87bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
951a78e2af9074047547770c6f710bf1

SHA1
81a12f311e9e348cdf8c0bb1bf75d18fcc7df119

SHA256
db6f8daebe2045cd4ebebedf9c276083192aead33f3c61b49775829f6352915a

SHA512
c7a1723f8b4eee16e1749d9cfb520a02c25323a09404b964b42a5f75a1a33aab275f430f01ef9be2e1071bb5c55ae704c95435d71a6c21fc651c3362046cdd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac117c9d5605cb8b7c9a6a6fa2e8d0b0

SHA1
0f998b6051b200d7d8692c296a9e63f88b885c4b

SHA256
8a14b3b383279495fb87a96332136f4b55600f114a30870cf513ceb64647c992

SHA512
515c9adee96b77eb76a97d1fb6c319161e7426fd31043c532cf22ed0d7142982924fb26be757088eadadc367ec8958016d4cb2f4d064f01aecf4ba95b36477f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d41475006a25d6ac98dc9973e01565c

SHA1
5e3f82ce0e79f4a52a34dbea1bb16b51a73e1ce9

SHA256
45cd001da36c89ba227dc26a5d74a4e47c4db1daa7e71e79a9f15c42f5ea0d82

SHA512
94dbacc69dc852716357db5cc5a4fca48ae51592b19d20c043640dfe1706a222a1530954d21a399b7fa2482eabb406f3a3bbe963cc702aa0dd3ba65c868249c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2745.tmp

Filesize
87KB

MD5
48eaf9d4ccf75bc06bbc5d33e78b7fff

SHA1
c710753c265b148f27ff3f358bb0ee980ab46423

SHA256
9ae2608edd49d2c319bb7bcfc24550bd9fb88b2f100fe90222a6fc55ca43c589

SHA512
505f4366f7258df3a88af77dde8335709063dd43298bf0ff8529992d53a60ad8de7d7ac65533f1ffc3a7f3ad4ca3a04c85366bfb9a14b47221609e6d36951d77

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launch_attempts.json

Filesize
70B

MD5
d5835a759743a1f4d2c83635731a04a0

SHA1
8ab8e070ee576162ca2ea5606ce7157db094d1c7

SHA256
ec797ef869bb36bdeef9fd84ce01cb9f64967c027981b234962b54d439cbe536

SHA512
c77a2b6163a279efa1f1c3c8f6c26378f1fd4636ea0cf82fb7f3a940bc57d90f8928117b4aae0ea7eb053f24b5d8283c56424dc9491e8c2cd4613a7fc032d824

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt

Filesize
172B

MD5
49246493af4bd353ba9d37181950bdf2

SHA1
91d8da898f4dea3958939a5525a7fdccfa6ffc27

SHA256
2cb25a3be5808a573dc93e9dfe066e0fe7edb22d3138a44cc48990cd2ebcc891

SHA512
292cb95a90a1601dcf1d2727089f9dbd515ff6a223455dc9270e9223e78ea971395bdc34d9924c65555c2cd02fa103a81e639beb2304f200b7fcfcc0a6f3e09b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt

Filesize
9KB

MD5
428c93b55c34fc0a0f1d6036b32ddabf

SHA1
144a12176692f253058357e2dba142db7dbec3f6

SHA256
3f6ab478ff1979442343e9f6f0daf3a10891339f12bb03ed13793dccf298e43e

SHA512
cf143a29ae2acb5c82081444de857a79b7a302a25ef77b6337e36d71d1346c5958440ad59a9a1e0cb033e79ecf377b2ef93811704971407154015468cd568625

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json

Filesize
338B

MD5
0c08bb65ee23d42b6c32d9cfb2aceb04

SHA1
c474e5f2e7d6b8bdc8b30c79b11113a366d5e118

SHA256
047d8c40de807d637b53946c76f1b646b492fc3ed5e1207e4299ef434565b475

SHA512
cf5675737486de4ea2a21423c1a30e221855e39e046b9e9f0b207bbdd7f7d0c32296116e2946cdad885ba8a677f3ba1f44342e5fd66389b0b7dc326507cc62b3

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7e8956ea1e9ea9b75ece08e304b8a6c8

SHA1
c17cb9bf0d81fcd42ff49b69d90cb9f0182f03bf

SHA256
3faa6da21b8a1095e7342c3009604db0c2a33a7567a47a40b4ef577b0334cb39

SHA512
61841db2c4c2005175a5c0cde48d1dd01790219209396c71908fe0869a1c7ceb95bf60cc67b48b49ef797390bd72025fb06f9fc301fa09a027b73f556f8f368e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d6fb9fcead753cb124f553c2632c60bf

SHA1
3be3df9698d74575627dbf7086b97207c80f1091

SHA256
f68991c3d75c6c6d86fe98b92a3ba5cd225d37750af5d94d875be15a761eeae7

SHA512
c7a60863763f3527c9a329006784c207e26c8b946711fadf3b5147df4662565b01402ba793274ad5ef698382f0c3629fff1406550843bd914480922e7e35bdc3

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\LocalPrefs.json

Filesize
638B

MD5
85c4deb455f7ef2531dec31d13eb46de

SHA1
76de6d1a2cafb9fcde5fa024fd8c32242b0165da

SHA256
9141cc3b7697fc8f0621fe93f9b148fc0e7faad972eebe88496dafda89bd1f48

SHA512
a614265dc71310d4fb1cc3730a426628b6e6bf4849f3f8a8706941dedd0e46e58b770c95c88fff03fdc798bbabe959f966f87e5528b25d417c1b2e14279c2348

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\LocalPrefs.json~RFe5ba015.TMP

Filesize
484B

MD5
66e5350291b4a647d24440a1e7b1345e

SHA1
7c85e9e8b14fb613ca1397eb51a74fcd9e74cef4

SHA256
583799ccfd53dfca34bdfcc7b1d74ebe59cfd9fcd19e19c6f9d6ea7cff614714

SHA512
f7c919ba6cbea97985f453685499d5d5635a564eb73bede2cc4165b7186e20e6fe41a9e7b2f50e7712dec8ace18d0da5f4684791c93ccb731ad43d8ec5bcf9f1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network\Network Persistent State

Filesize
477B

MD5
fa92e3b80a999c2dc72b42b3571907b1

SHA1
af78c71fddefc77e5c4f0a4abdfef56ae5660424

SHA256
46215ad5c202a4033e291fb09057f9e6c466e961d7db6e47449a9d7ce0df7182

SHA512
668024fa5540c9065bb7616ea21cf77d2e1ea29137f3f1a1b659c8ec71f3d0b5e0104d3017dcfbf9a2360b89e987f1f444b98b07c8bd496c9c68230fe7ec55a1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network\Network Persistent State~RFe5ba6ac.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 648034.crdownload

Filesize
2.0MB

MD5
cae41f3746d3c4c440b2d63a403770e7

SHA1
5c4831d9705f2e00e3cd993e89b822636492932a

SHA256
e31f1cc8a5ed521cf5058e121c16512e3b7f9ca80b2d8a10a5d8c1d8f2168222

SHA512
03f14c54990872aeb59fd5d399fa9b32510c14ebd1f57597c1d6d1de3c688f372653f8529453ed22675af2f6fd2c3e3a5aa3365d94449d668de33c211e2c44ad

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 806830.crdownload

Filesize
2.1MB

MD5
02d7f8e22149e154487f2fdddfcec8c5

SHA1
390019b5f2c24f14dd398ab4ba8bef0183a923af

SHA256
d9618862a64da8a5c86f2c9cde65b48ab92ff8bbc14d5f3c7946539a44e2db17

SHA512
140d1b9c320e29eca7e9ad2ed0c75004d2421f612a6cafb593d168856fa918ed7bc607ddcebc042a3a26a3e819785d9cea4ef1a298ad1f13dd4181c5b5b3e2cb

Download Submit
C:\Windows\Installer\MSI621C.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
0213acf4238a3a83527ac95b2e80ab99

SHA1
aea863bdf6fef4d3865ea2f58e0d317df79ac569

SHA256
fc83ff608959945e3e9f6e05e6a4e9fa8897c00db79b8cb52a4a14c0698a6b22

SHA512
d5bd65411d20c745936ad141c02f27584019a4b390f83160793c9c10108e6caefe2da784676c328667af3e31c3ad982ca396c7c0fc859e3f4e8f40c1a1204806

Download Submit
\??\Volume{b8b1c3f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ee38b3aa-b541-4e70-9438-bf3dca3f50c3}_OnDiskSnapshotProp

Filesize
6KB

MD5
eabc847f41005df3c7df5ecbf9c6a525

SHA1
148e80639d86126ef893fe4ccf061eb42b0c7abc

SHA256
0f5155bbbe4aef56826479e1fa1be03cbd979fa4a56b329bff5df49bcd93b92a

SHA512
f989b397c500b9d08a902ab943f80f3b80dd621930e037e829f36f86fec335c0d1d8d0b2c71665596baac8afa08d7ad433250789e697ddba85500e9639670004

Download Submit