Malware Analysis Report

2024-10-16 06:42

Sample ID 240618-qhf1ssvekg
Target EasyMC_Setup_v1.6.14_x64.exe
SHA256 eb71dad7e3c7fc10f128a9f4c1aebdb527eb4192e3525010322559ca9b63d610
Tags
discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

eb71dad7e3c7fc10f128a9f4c1aebdb527eb4192e3525010322559ca9b63d610

Threat Level: Likely malicious

The file EasyMC_Setup_v1.6.14_x64.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Resource Forking

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 13:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240611-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zip\win\ia32\7za.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zip\win\ia32\7za.exe

"C:\Users\Admin\AppData\Local\Temp\7zip\win\ia32\7za.exe"

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240611-en

Max time kernel

122s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe

"C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/3380-0-0x000000007458E000-0x000000007458F000-memory.dmp

memory/3380-1-0x0000000000D10000-0x0000000000D18000-memory.dmp

memory/3380-2-0x0000000005BE0000-0x0000000006184000-memory.dmp

memory/3380-3-0x0000000005630000-0x00000000056C2000-memory.dmp

memory/3380-4-0x0000000005730000-0x000000000573A000-memory.dmp

memory/3380-5-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3380-8-0x0000000074580000-0x0000000074D30000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4712 wrote to memory of 724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4712 wrote to memory of 724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zip\win\x64\7za.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zip\win\x64\7za.exe

"C:\Users\Admin\AppData\Local\Temp\7zip\win\x64\7za.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240508-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe

"C:\Users\Admin\AppData\Local\Temp\hostsremover\EasyMCHostsRemover.exe"

Network

N/A

Files

memory/2256-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

memory/2256-1-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

memory/2256-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2256-4-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20231129-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 1812 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2864 wrote to memory of 1812 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2864 wrote to memory of 1812 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2864 -s 88

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240419-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3936 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3936 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3936 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3936 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3936 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4020 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 4148 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4148 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4020 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 4020 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq EasyMC Launcher.exe" | %SYSTEMROOT%\System32\find.exe "EasyMC Launcher.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq EasyMC Launcher.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "EasyMC Launcher.exe"

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x428,0x460,0x458,0x45c,0x44c,0x7ff7fcf629d8,0x7ff7fcf629e8,0x7ff7fcf629f8

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1640,9276256291475083563,18049687833462778926,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 /prefetch:2

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,9276256291475083563,18049687833462778926,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1940 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\easymc-launcher\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1640,9276256291475083563,18049687833462778926,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2360 /prefetch:1

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1640,9276256291475083563,18049687833462778926,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2588 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.easymc.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 api.easymc.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 o1089307.ingest.sentry.io udp
US 8.8.8.8:53 dns.google udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\chrome_100_percent.pak

MD5 4f7cf265db503b21845d2df4dc903022
SHA1 970b35882db6670c81bd745bdeed11f011c609da
SHA256 c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16
SHA512 5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\chrome_200_percent.pak

MD5 6a7a9dee6b4d47317b4478dba3b2076c
SHA1 e9167673a3d25ad37e2d83e04af92bfda48f0c86
SHA256 b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9
SHA512 67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\ffmpeg.dll

MD5 7977f3720aa86e0ec2ad2de44ad42004
SHA1 04a4ef5ccd72aa5d050cc606a7597a3b388c6400
SHA256 61c6bd5fee2c150265241a15379c4053b174b1cd7687749629afcdbd1264a02e
SHA512 8ef3b8f506b5ad7241b96d381a501033266358fb3756a457c46ed499547db1232012f849838e65f916129fab1a0d74711e9851b8e0669831acbbf4c3494e492d

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\icudtl.dat

MD5 2e7d2f6c3eed51f5eca878a466a1ab4e
SHA1 759bd98d218d7e392819107fab2a8fd1cfc63ddf
SHA256 b62b7240837172959299dc3be44fffa83dc374353154eca1612e1bde330aa8fa
SHA512 0f1465e8efe32b0eaba628a30bbb21254a05d80f4407a1434120a55fb928cf575b3879e1b7cf754cd19b23c262ae715fa84a8049073563cb38f1855be7db1124

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\libGLESv2.dll

MD5 8c93e19281992a00993fc0f09e272917
SHA1 3a2d12bc85f829775ec8c5c1f8e35a783d37b7a7
SHA256 1ebc1da8d7e463a5d3dc127a632989ef35cfbd94cb18bf1f8ee790f172d43703
SHA512 c4ec65378d83e6645c9128825853de2d3e82c0f430cd28fdc761eaf2d011267c3794b7c1dcef017750323873d7fe976656eebf9ed7c03582741d43738f3e0c7c

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\libEGL.dll

MD5 7b77074945dfe5cf0b1c5a3748058d57
SHA1 fdea507ac2be491b8ad24ddc1030ea9980c94c0d
SHA256 994972c1bc515c199552d50e97ad217ae15a3eed16db06181c7df50e743e8a56
SHA512 d637b2c7d75723601af099317a39820d3edbd3cea1e1cb20b702deb6ca7fdb0b67e1351cc8fee1c7badff957fffb848a8dce18bb25bfd60c81a588da4f68c1fd

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\LICENSES.chromium.html

MD5 4247afa6679602da138e41886bcf27da
SHA1 3bb8c83dc9d5592119675e67595b294211ddbf6e
SHA256 bf59a74b4404aa0c893ca8bbe636498629b6a3acdff4acb84de692462fd626e4
SHA512 ad3103f7fd32f0ec652bc7fcb8c303796367292a366037acad8e1312775cdd92c2f36ed8c34a809251ad044508e1e7579b79847de61025baf8bda5ad578a0330

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources.pak

MD5 99c5bf0dcd43f961aa3e177f7dc42d42
SHA1 5618abd2e7b45c50400bb4aa0c455bb0b28bc472
SHA256 75ff04d991c2a203105525a1ccb200a461717ce7b86ada4be092fe903d95cdc8
SHA512 2e508c46eb266301f42ee6a7d63494f3856b422df61d0b605096bf4fc4943239d3fba15161adf8cb1cdcfd3bea8608102a0abce636999cc2a9e01bda51cc77ae

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\v8_context_snapshot.bin

MD5 a718c9b6e5e6563e23e450a0d01b932a
SHA1 95ccb1228f024f037259e759dbac464f3c27b8cf
SHA256 315f5ed966a1f3a89c94d1b78b9bf70e59a2869601cf6551b2c1fd3e3b008447
SHA512 b04512e95ab3997bc7d5c65e2f526e124bf1895b139eb2b6c6c7b4a4aa381cd408eb2bba01f44b09b1936d24752baae288f24a32ed84687d3e7e0681b5387d01

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\snapshot_blob.bin

MD5 c497639990ef3d4435fd721e8e855c9a
SHA1 85e7df364daab70730c756b8e24e81965d5a2255
SHA256 5e15a82831965e521bee172e6878806bba51d410d1fdf1b4eb01385d1954502b
SHA512 63f2514d585dd7d3b988f0aaeed8106a06b67629eb54f2152e8b4a24276d9f56fc4650c8770d0ab44b4c57ca458856a0cce5f26f6226a56a807b38ce5615ead3

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\vk_swiftshader.dll

MD5 77f7b4f46cb3e06b53729fd1e562dfef
SHA1 223c09805220ff2b5c1dcbdd5c0396231ea34f11
SHA256 a648cd4671b12b469c4d2de20c2ba2429c9388c0f9d4b3d9d2244853d0e5acb5
SHA512 6be9afda9320074c5842419cf8493d715ca65a3362d368d3a35e35a47d36f8197b0f19877485b41a06e21148613a77bb6275b0586c4a38da8a25efe6b5a6b571

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\vulkan-1.dll

MD5 25afbdf6701013c57b19b92225920915
SHA1 009300dd4ab3b81794388ce7d126ae90ff97535f
SHA256 22bb65dd206ce7ee10c05557933a04a04144e1a8228d2a9d1e9d704b0b1b2f7c
SHA512 575e38b60948cb704c355ba9cf3457f2693c30f95e85f10f795e759652bf4317e18ba480bee8aafcea9108415e8e58f674b22c7513a9fabee765142486919a0e

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\7zip\linux\x64\7za

MD5 6a2e4039a2f56265369f22ecb1a19fd5
SHA1 b0ea59484a4827d7d9a0a27a5270310ef07e61a8
SHA256 afc9448bd0cc2eeda131cce313ef4994f9656417e0a15c8465fcda9ca859b280
SHA512 796188635271cbd7dbd6a7f37cb4d4d5b394c8a302dc62008c40b4be507382925eeb8a550ca11e81c791d5dbda238f95dedecbdd0daddf84907c4fa3a9b1ca59

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\7zip\mac\x64\7za

MD5 335361d7f6faf13cadbf116bfdb97226
SHA1 d6cba0f2e221d1061261767ec38ddd7c550015a3
SHA256 434075f6ff5ea9250571033ca06b95d464efcad87a528dd0b224816c86b1a444
SHA512 5fa86f6ec50e0f2fa87ec7cfa0e98cf2bfe158035e5af024e017cce4ddb33aea631008e43328e6049e0f95e8c63dac8b1e03d3c949b34ad2a3e94ab979cad0e0

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\am.pak

MD5 ebe0e7e0c78fac281a3f0196da22cee9
SHA1 689864d898905d43b8a70bdf37c5b339daaf48eb
SHA256 08d86a45ff0a4b21e74b06509c376ab0f907cae72a3e0cbf5c17fc275d10ac5d
SHA512 89b6603e5db8ad53ee5623c2c0f7e81194278dbdf5ed49c7480049006b20744fd4642743c2b4a264cafa87e7f787d6d6cbf26f12ff2b851333b3ba7541ebd933

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ar.pak

MD5 3a8a7a08fedb148ebee6d3300356e37a
SHA1 2e9ac1ea8b6396b909f823486538d5640ddcaa1a
SHA256 43636fc76a2da6ab562c4c3bcc1a5d548a169dc0e884484fb7e4341814c44c78
SHA512 7951829cc7aa385bb5f8078a7af7d4f0b49fa8c05eecb2808eac3fb0e8700c63f92db888ad64f526d992a14d54948a6807bf06f9fb688aecea40311eaacea181

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\hostsremover\EasyMCHostsRemover.exe

MD5 dff1888306d5036e9e831d62d16412ab
SHA1 2597f86a16af51f61f7b4754fe290a9969e85abe
SHA256 136b6ddebbd837f775a10425fc0a6eaf4a46d32473f372208873cfeb2f64a28a
SHA512 c2f984340c6d01531151b6ff58d2e5b47740b3faf309bc28c6349c4dd2b1e8715e24a69ee238380bd3ffc52e7922cf6c9a0c1ab685f449dc7e13054383b1de62

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\7zip\win\x64\7za.exe

MD5 b7b7473472c9806bee3e7ae6c1adda23
SHA1 2dc03597a0d9c7ff97250f90d47bdeaf9b5753e7
SHA256 b0cfdeaf429f5cc53f85123dd8f5a5feb92c19d31aa34df257edf9a26be05f95
SHA512 544949f1213817599fdb09dbb9834aeeb370b3f6225c3d835a29797b006bd36aa37b8a246a22204277f40d3865a01bc8d029a531d17d6bb43d9ddd3db7370580

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\7zip\win\ia32\7za.exe

MD5 dfd1cf824c781069def1d239a626d43e
SHA1 bbe24cbae89166de829a7cf91eebfb518d8f45be
SHA256 31fd52f8996986623cf52c3b4d0f7ac74a9dec63fc16c902cef673eed550c435
SHA512 0413adecc5560ddb18133eec70b3a717d82738f304bdbe6eb6e2dad9ada57314c60bbd48ac0aa948af77ae76f7d522ada4f6089fffab88f882872c56bd12ca20

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\da.pak

MD5 22134b12d90fdc00f23a1e0a6fb04eec
SHA1 17c9fc2cacb6e5ccc393d1af9bdf3e8e63ecdaaa
SHA256 62020dd01b47b696e2e11d7f5598628c07782a96ea6bc013dc2ffe8c820b7c94
SHA512 9cce6ffb2d84cedcc5ccf200080d6a2cab691468c042e8e48a5fdd809b5c0d067c322326e49d18f66da8e0b1d28adeda4cd03e12d7aa11350b72776737aa3427

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\de.pak

MD5 fceb00caf7e76e688007665feae99e83
SHA1 06fece84cf7028b3871f144258b8d084faf8745b
SHA256 80e63ef1950b8438813271365a7b6a3f3aba0bacc179f5675654249f31c06a3c
SHA512 08c14eb299a035949e6b64a069cadee66c420b7d66bb00d65d6a1a08fbee08a57ab08f8e77c44387f0fe02b47aeb0bf2709a1979025613cb51af4ab82fc3b6d5

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\cs.pak

MD5 f125738776a9fb8dbf25311fa3dadbcf
SHA1 3448b58d4810e69f5c1eca4e1484308c3ceff502
SHA256 5d5089718677f9a4e677dec72058c376a5829921cd523ecb919d0da7766d3cd4
SHA512 ca5300e5fb73ed4ee8c108e875c66ce7f105693f3ba78cb00f33218febfdb3ea27fe26f118dff3fb2e4af66f722f8348760cb576aba48887be25fdfae4991776

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ca.pak

MD5 53e3fb38f84f60b98d23b337e4f03f92
SHA1 42e435837dd36872d2a413518a299cd293ff8536
SHA256 b00bd41c1222b3ea078df5b92cec1946e41430be241d0d57dc9baa4c70c91f3a
SHA512 98d0328e7370b1fec9e15ad0cff9e1353686fc581e3df9a8896e3c2e62ced044c4c51ea63f35ec8b7eb3e7df5c83ef5157468979b7f20e85480597042c1ac192

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\bn.pak

MD5 ee25e9cf28fdd35846d8a9b3c4220eed
SHA1 702342cc207ced1bb585195abcf263cbc4ea0069
SHA256 9994b9832bce803bee8c48a8176653099df7768074e3c54d09a18593376466b9
SHA512 2b703cd07bacc9f70e36844f148c980cb112a806b4ca11f692b9bbe6995fd5636eb9bdc84c5cfaf79790dbbb1ecf7cf2b61a7d6ff89311eb4907c586e20b7dbd

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\bg.pak

MD5 5ed6adc6158f554e71bdac7dc9731b16
SHA1 394c8396c566d2b92cef881c332624be812115fa
SHA256 0a3e79a6d270d212037ccb5a8730b7abfc45c6e9175dd7e17d997daed0985726
SHA512 796f107698e82dfad9ec8d2ac1fc3f79b1f3a339a06eccd783dcd262ddb7399f8e3c093799f16640cf7a4488f1d2eb04ba6b7cb14ac9e9fcf87488cb8305b35d

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\en-GB.pak

MD5 074d3dd44706502de7c33e791794b23a
SHA1 564a73ffad9232052c692eb94f560d6b17227c47
SHA256 9c3954a5ca2cf126370a1152e9281f41a7ca97c69293f556a2c79ea6729324ae
SHA512 6e1296d04b16534274fa438643ecee6e37d17ed935623f73d5a8f3510a194e0efda9ca60fac8d51d25763c4818050e23c306f9ee18284b8600610d14f7768d98

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\el.pak

MD5 db449f218a705453eb10b5f418e28d7b
SHA1 7bc8fcc59c532bb086a7f081cd8d275a89dac835
SHA256 73da35d01b91707846775bea7dc0331fc1caebd5c63d101aa8bb8bb58ca7f193
SHA512 7dce45bc723d62498b335be0ab72dfc91c44c01f96f25c2314e9245a0eab28a92dcaa730b11f108b604545592445ed1612721416f60ae3bf55b1bd438bd04f78

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\es-419.pak

MD5 cadd9ec43e823609c4bbdc418da6009a
SHA1 91bdd44d5972a4763227ee7c127fe122aefe195f
SHA256 6c8d074047d57a79cf5cadf9caa6e9a64bce0895743a3dd89ed1350cc91c1e4c
SHA512 2b9eae4072e46024e33f000b1df1a64246f70498a557f4a03234d3dd47aadb04883b98ebf48eec21f0d6ca4c8a62065f675fdb352be680a56644ea3ae1db93a5

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\en-US.pak

MD5 0dcd84e9e50a3e0819d5875ea889ced4
SHA1 7c47f6e4e0cafec3a13c07d689d1dd6ff6516b1e
SHA256 699b6d7f05a484e76d3e1197a656247863e570f03cc02634c9dc42078a5c5007
SHA512 153fc15f676d78d5d0f3a6862fc7eaa60c2a659c25ce87485f0253c321d9407a9b799b959104c27a8e7b5487f0de926ae8f375e2c3d313329112e48f2d001a17

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\et.pak

MD5 fcdea2954549e5d8f1e7a5de36ae4f74
SHA1 41dcdcefbbab3e0e908d98ec9b6bac7eacecbb99
SHA256 d875bca2e8800657306727902f4f5fceec7415ea530bfa780ece0f016f792569
SHA512 37ea008078083a36b07b1f5d0ca6e16f62b06a19266d8042efc796bf33c53200f37d3a37f5b48d024dbfab9e6689ec9c3f22d6e37e3898fa7deb61ace1fb2df3

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\es.pak

MD5 39288ea031009bb9db582cbd93c7d534
SHA1 467f76d33e39526a4d8cb6068eaf8e2791b3a9ee
SHA256 6cd39669df96b4b5b9047f7689338d3beb9ad7f8be2fddc595ef1ecbc47481c2
SHA512 4a635e969cf2b09aab5f8723a3380c5e226bf0546019506d18de65c1e4a599d268b9ee2e03a65b245075f899a09697b7b535f1055c19344a411100c8f29d93b2

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\fr.pak

MD5 e609419893f1d885a2f17f94805a441c
SHA1 31083ac114fa4077a7da7c796ab3744873fb893f
SHA256 8d71c36d04f2d6062458aa2614f7ce223b2ee9b4665556803f764f384b191091
SHA512 77f965f436a009a5aacebed3cc15adde5a1054e1c699b8a50b947a7e78a97cf43317d50b0ab7a42532c77d320b7393007e47199f31c58f7acb6f462f98fdd4c4

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\fil.pak

MD5 693abd21a6855aeaa31f6c738c6b6fc9
SHA1 bb1fa375a9f0c682d9913b1c1610535eb2b4028d
SHA256 f0bb231c710c025ad4643e2128867de6e111da867384082e7dc2d0769976b6ce
SHA512 03c68c45e3144a73251d950a8c7695e5b9c2c66711134016543ac07ee6eded723324d5312fad4624d35d0bfe9861ca4b7440d2445e6d3d6cff4a1a3cd5263c98

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\gu.pak

MD5 57cf11b4352e59f11b20b7ab754af031
SHA1 ca1716d419f175a2dd548929fd551dcbd1ef4bd7
SHA256 55588f211c26e1deb47b04d39728ec051b99334c55d30252b94df57d0fba2f52
SHA512 c74360769323b3267aa218e994f49c7e135d4f320365a349a5362c1755c4b660050a070bec6c5446d4620be97a341270b6c01289db20ddf5199ece23117110a4

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\fi.pak

MD5 4f323a2eb73ccd029e742cee4dfa9769
SHA1 b860372d21cc55eb7ddbbf9f5bac61fed39426de
SHA256 e1888472c8e1330e70e514d0a1936749a7e5d39f67e7edc818661c2cbf3e301a
SHA512 d07d0f74736cd32d73b3a33867e65a25b727b5c30cb743162908e23d958fb3ae97285f600a9ef8196e61be9d450da5903d1e468fceb3b05ced93aa600387fddb

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\fa.pak

MD5 e3f56d4b0fa2878ed6847631d3b05dea
SHA1 627f48d5423afcb3cade0789f058d60867419041
SHA256 2ee67a38cce9ffae1a639be17c0ef7ed7c763d9c15c9621f300bf634e1f25a64
SHA512 e29c28717f31dc57c2294857680a439acec25478913ea425b0c7b6e50f3343b21fb7983c15352f9e3c001ffa0c8e500d92a1924acde32a4b5bf3f5b6c60c4142

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\hr.pak

MD5 feea1754a955eb61cd41763be4e5ae2e
SHA1 bb6252fec9ada8bf9ed7b81f59843d5abfcac80d
SHA256 787680ecb5d5ece246894481834b30145919c22b04d2dcad2f6ea2b2254abafb
SHA512 3d24c9ccb83f6ecf976df5cf00fdb0b46d53f09c1cb08ab68bb8d9944452785f40a761a152605708d7672f7dcb24e0b7cad1cfc14b267bf5fc1393cfd05ae4d0

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\hu.pak

MD5 ae13d7ddfeb82df9950c71a4ea0bd10f
SHA1 7b55315628060668f444b110031b1fc4715bda11
SHA256 17758e2bc746f6d770fca8969ed0aa2d00658d68792d2e8bae94d7b58665d83f
SHA512 f94247fecc4fda5bdbe9732f151cdffed337eee01f59aaab6e6452c570a549dfb87c0528484c1879a04af134ac883a21043c582d0a642e185e4e64e3aff830be

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\hi.pak

MD5 34bcb12c154075510d9d3066ad4a8d1f
SHA1 6a3c062221db4f391f8505892f584647b05a410a
SHA256 83c6c411d75ec5c5de6984b21fdecb07c9b926c66b67c5c99380605f6fdd8928
SHA512 aba38e4a8039bbdc46b510a8370c82d3b199b4a02da7751c162c941e6d893a9cdfc0ce92db4144ecc2b2644d58b0bc6cc7cceb0533c62c131cc55be0258c3a7f

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\he.pak

MD5 6010987755f300c7984dd3f72f518ab2
SHA1 eb85f0849a86aa5fb585efaa070d2d7300b197a3
SHA256 1c84a575e28e9a72335ed13409d6861995bd9859fd57a4d9509fe912db4a56a9
SHA512 4b77f74d986c16524a3a6c7f60cdbe53ac5be59418737835a7fa186e4b6ee853cce8317cce352fe4064c75a7d27bf1303d76eabc53993ff1e4b7758a8ccc6228

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\kn.pak

MD5 90107e2353e707a6d071c9aabb5adefa
SHA1 e4dfe445ca7830b3a56af38af1d73e3cb94abc73
SHA256 9155b06ccaefbea6461f5c51e25ce25d85ca7bd557e76dae00a4d6a09a4bc424
SHA512 dead3b94638afbf4ef27e1cb5283ad2d0af73ab8996e7d2e8202ad174796121799992f577c974fc0ec53fe2b8f6fb4d37c3bef70b72c29b5b721377a0cf3b093

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ja.pak

MD5 e720738027460b044429705f7ea1d25c
SHA1 851b59efad4ae074849fe41f40a56c5534caaf72
SHA256 c78fde77efbca1b3cc0cd12bda718d1a113bf6b6f3ed558b5c9a452dc974edfa
SHA512 08b0fd0ceff7ddfed26985bf84b54d75cead1f6fd4d5971da9e40996af6dc5fe9455c402f62e758020a6ccdb1ee0213cc2a5ddfa28a2bfb1e8064c6a4401c3a2

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\it.pak

MD5 a2b9cce245e754258ea187ceb3aa2670
SHA1 50f84fbcabea10385714a3c3a2483247ac040c02
SHA256 b72f89e5d2cacbd2db7ce28ceae35faab8c4199ec993fea64e8c78df882032d0
SHA512 5e9cca2605d4a86d4f2b39845c8396c37f88b6f1d08c8f0e2b6f0896d60754331a588d0c0fc59e9ad8fccf0d50100a2307fff2d9df784f91537b1d9e108727ad

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ko.pak

MD5 f21c6033fa73bc7d3358c2467c9048d2
SHA1 939f209f00e6664294872e0dc3b33a9015a2f1fb
SHA256 d19cfa8ae07f23b81c0d40d7e751628844fc1aafb83d4bb4dcbe71caecf6ea2e
SHA512 a4a4909ca56d3d924639cf1adab6d9ee512132c99c8e3dd37f2b949a1c816ab29ce81c01c658022e680344516201fdb0440abb97e577e6946e2731411674566d

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\lv.pak

MD5 7313fab584b7561b1fa63de07b972118
SHA1 3a44d445f57a78867d37638a80ab39add3fcaa4a
SHA256 7b92238240c31c197029d41fdffc244f68caeb8002854f65ee3125bd95643598
SHA512 05b067847a63c0419298616278678ade6a4fec4008323121ace5a09e22f6dae409494474f5a88adc703833691a7d4810546d012d4311e176fe58812f166b8ae3

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\lt.pak

MD5 02e9c88d9d5e58d135c9a92effcce38d
SHA1 92421a5fac68d506fa904075ea7cf39a3da8efc3
SHA256 38ad40532287da53fcdb6076b9cdb841bbb4f30162681707295bcab448149e65
SHA512 f0897d62e81eb6e2c56cf1a5b5ad5124521c345f70cab841071c7b70b16130984700d694a32dfa010460244d8b520ba1b217ffd76f75c074b5b3a9ccda26b02b

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\id.pak

MD5 b5e4e0092bd1063e8bd68d0b539ab005
SHA1 5e3d12a6fb497687df81ed64de17b0502ea84f2a
SHA256 8d7ef1377d39fb6045c9d4b1bb064c329bd789ee33b6de530c187f1e713dd7f0
SHA512 52b535a143bc13a03804cfda2d3f2f81f036b8d24897d1ef4a657ed290ba14e43d7cfe92c868cdef6b093b09b90119f7e50e8496eaf347c8e4fdfc13c5e306a2

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\nb.pak

MD5 e5546ac3407546d6b786e24c7bc21ab1
SHA1 7a9e44a525ae005d0b41020c403c4e1e49d237b7
SHA256 751521cbf27777bc99f2039b987686f921cb27e02c959f6cbeb976799e45066e
SHA512 becf51540db5a0893e6f44d588be98142bab5c2a0f37c0212348e3cf39da52def2fd104c039229b52767a9345890f5768ed897b4bde5c6feccd75036d8b4f363

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\mr.pak

MD5 fd3452d812a6129b8b6db620423adca0
SHA1 9bfe47a0e9f1843c90875f28d8873d592098024c
SHA256 c9704a3e528092ef676be4a653cb14b906e7c32424d59c8e4f22981014bd9111
SHA512 7ec30343e985f7bdc6a64fc13d50bfe58ae098b03e18afeaeb4c89073059698cdf40477f2323a52c5e8f07f37b28608c54734501d14ad6ae0c9a0f2f4ab0e689

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ml.pak

MD5 21aee42070f9eace2a8e14759526f05f
SHA1 fedd83251a3fdb1846bf0e7e49a3a78cd77fae02
SHA256 393d2dcd5c7c33945626fcf10ea4457649fa7b4c100c039898385133c26395cc
SHA512 60cc85a5a638d370710680bd39a6946d04660a0856bde49190fbc0002acf91617cfc3f3087a37cf592c047550ed2c5b73c2a769fbdffcacf4ad3ffa129c929e3

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\locales\ms.pak

MD5 0bb952597b170dd4dd76e9d9d546ac3d
SHA1 101aafdf6a4ac0cdba7bd88538e7ac395e715e3e
SHA256 f6721ce0d4d601ffeff011d652a9bf2518386cd8c1d2317763e37512451534ff
SHA512 46c9b63273d6ea30ee63ff230d6b5600018ae54032e04a6707f5873ebd383d0d59645f8d0b44b8ce9a4d40d5acd3453b618b9c4fd3c1b958adb5aefba3465464

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\pt-BR.pak

MD5 3b70cbf1aa47436b78a5e8c7672ce775
SHA1 ff9f2820e5782f9eae0ea1d5ede61665fa62cc06
SHA256 8b4a8a3b8741610c279283a6cb843cb274223f720edac1c73296340b02569fbe
SHA512 41e3b3264d8034edf9ee1ab696ca4612ee6ef4e8537b4598805362c4a250f81274425cfa2c9c62330fed73a683e6d3b2ff537b51d869d7da19c4422728da7c0a

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ro.pak

MD5 4d1ed9e347de9351454d11132c06e916
SHA1 e3734d17a579ac423ec5fdc5829a211c7b76e049
SHA256 57dc80c76c535c645893c9d3b4d0c4779aaa877445383abec79e32cf02c41276
SHA512 bd3d0841678879a24eb6f2f15c27bcb64a5d7ad171debbb51e7601a3898b830b1985b365363a01d22967969d4d4ddf89a130a5a33ff6a94cef6410b0e89f1849

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\pt-PT.pak

MD5 e9f8bc9fd1e845551fe3bb63c9149726
SHA1 0bfbe46e8ffd62493c019e890a30ebc666838796
SHA256 50cadb4da4e61fc335d145374511c34e5a0e40f9c26363614cd907cc7942a777
SHA512 1d3761caadc3ac750c0a89c64db472bcb0764fc1c4b1108a9443fa71633ec7fdd945120a6f05e76221d9c58103cc9865b4857877d57d60b623f92a0235ed15fb

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\sl.pak

MD5 cfb094955a5a8f655ce8a598d5a89706
SHA1 181ace68b0c3be132ab73302ba7f7c8750f9adae
SHA256 15489195e92cf11354a9a02895aad2ba8f17aecb676dd77942054a4f3f0fd623
SHA512 a31e131663072c1192a4146321db5f0f457d27e14afc8ae40a92a4f255df4cd5302774534fed5247e145c73739a709dd5852af35750f35ecbab0fd4c1a612e2f

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\sv.pak

MD5 773fc8c89b093c40191fc233730188c1
SHA1 28001794144bdb76f62044d57e2d52c8ae1635c6
SHA256 6aab29795a36a0234c6d447fb1fdd9011da505c348b934346a27b6a2ddb92ff3
SHA512 f9bfd3e72955104b922c34352ec16d56939eea634b9abd549d4a3342dd72f8768c85bff59814e419aee6469f6521f4f71fcfe9b8a81c1824187ba818f6d6caac

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\sr.pak

MD5 f4041623ce5e06d2dea58d532edb120a
SHA1 2d7ee3ef60b39e3508427c7bc12e046d7bf5e928
SHA256 f2f80d7325d259811afea1e7648c42d3ef3eebfeddaec27ee2817f4e68ab541b
SHA512 18691f4cee3eeaa2305d1c978d803fdf757d9c4e87e88e36d7b1fff482cfddd820568b39a1108065f61dd2cf10d7219c27813aad4d64e71695ab91084ec3c694

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\th.pak

MD5 96212a5191b7062d1620388acf1d09cd
SHA1 d3616b6c4649dcfa347df0473e64219ccd63e63a
SHA256 fa5f97bf433df481a6257fa39ef8dcc7961c5d5a83008b02c9773836d7bfc96c
SHA512 5192c36317c3a50696796c7286f77b1a02b7a0f83abb16ff7d47ec94281b85ee2fb29b9ddff7c4ad8b28a2a757772bd2bc726b10c19658ab672966679d391508

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\te.pak

MD5 93edec428bdaa1f84f5c9478f440997a
SHA1 e03f6bd50b0e0d888f9dfbdc87c98ff567e6a91a
SHA256 a499f50e452ca02ea476fab8954e7ff58d2ee0c6263b8a4657b6ebddeecd2520
SHA512 ae34e29f1e8d23dacca66036e355b12ebb1117ec6e5e99413c792a0dc8b772eb63578b2406730b014fb4ffe32b05dfd9fab8adcf38ab3f5b9bfd0cf054ed09f7

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ta.pak

MD5 8a1a245b43af1f174f262d8f53014d59
SHA1 655045f5c71aa2589851a66d5387d4125bbce1ec
SHA256 85d8ef6fb5fdbd1d689aa6cdbbb768376b08b03ff39f7528a3804a3b4bd82af1
SHA512 d71b73fd2b5658acf5825f142130c49c278c801fd8beb5fb2039a3c209a1214a9cc00fb6896735fa4d020bc2279afca1577f35fb0a96a315631d46656d2055d3

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\sw.pak

MD5 70510abd3079bf26caf327989e810216
SHA1 ea640cb8b3c63d71d9b3a0d377fef5540b04fe81
SHA256 a11017a3e0e7f48338d4515ec9e79c1764387232a0d9a05fecc4b594bff40091
SHA512 ecbc97397557e27e66536a97ddf78a744c104b258d40d6f31972e6e5c6615699dd24eb02144ae0d3d53764da0f83a06f561ba95bbf08da4bf4a548b0e7f8c052

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\sk.pak

MD5 befec33f564454253ad90d6cc06ecf62
SHA1 1fa0e082c89f9aa397551421a35b7dfc941f5250
SHA256 9db30eeac7f1814158283affa0af6451c6f7966896cd6d6df8eab14a37e58c9f
SHA512 a581faf67311eb8d81b481d1e3348f579745331f87523650a4fc35ddbe6d5033e726feab0ca3911ef76a21aceabc3e2122d16333d1b7840a933b5231a9e2d157

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\tr.pak

MD5 4e7c047364c7c4809242741b98b28092
SHA1 4ff1b303476cb75d8190568c346e8cc2e452da14
SHA256 6a25be43b786ab853f8081c53012be623543830cce5ccd246ec040d98f22b852
SHA512 4624cec04114c15a72a804fa4966fe61303effe97039337273ed0dc99e8a6a685ca5cf5fa901a84c8b219d443f1a89e6e7cbe09eb21e7ecff662301067a6cefb

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\vi.pak

MD5 98cb45f0555aee1985710196db17d72e
SHA1 1362238c253bc2a0e50c8dde6c95deb027fd6348
SHA256 39a130557fea33a9c899f347fa3ed455e58bd51acc0b3b4586f76694b0f34646
SHA512 93125310ade0c7029f0406aab291c35d2b7d1941f85bfd3d6071f85ff347c46e793a5ef164c08ebfcba252269a4aa84bf7a3b8779a36ee2f3da303411becc27d

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\uk.pak

MD5 33f02db055c3f91148feee375acabfb7
SHA1 ca1dc284f41bc55cf35f94a4039008df9970d411
SHA256 1968e9ed7722089330e7a8ae2c08f241aa106ed2be8948461439e6a92c330688
SHA512 ad16973e4103ced979276c6de175eb600241491ec9c441168e6375f68f8867d3f0eba422dd0ef6404208564015119f1e5e2500d5cf4ff2d8da45d713ed8c251d

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\ru.pak

MD5 fd441a4b72397f5d76915ebcdef45aa1
SHA1 94a0ab5704e7303c6ef1c2ee5be0b6f4a52d146e
SHA256 df41fb92e4d682d47b5adf942600b4f23c1aa5274b31b844cd4c4b6f0ec86a86
SHA512 5fab517ec0141bb67b4b5ac868100b770fc0b7773b94f977af9205294da9305a2079327a4ece1ff1d9a3b3c805c8d8676c2b0505bf190d1c57c4ed0c14a1cfdb

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\pl.pak

MD5 41fd7c76e30b333027e86e20a65283a8
SHA1 81afebdfd62255d0b0ca508141dcd7b67982f4c1
SHA256 5de95dc2236f896e66debfe2cc7553a5bfeaa7ffea2820fe1f2f67368af84f7e
SHA512 c59132dc329ee72fa8e9e9c653da597b5fa40a6eb0a7988cf62b1bdaa646a9f09f504219bfbc5af394a12c9ab6050a39740460a3e5c3ed0946b556c33f608219

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\nl.pak

MD5 a17bff141aec095625d0420c7a609b08
SHA1 edf3746b20ff9e3bdbf09b195e7781da1f799a91
SHA256 7482c28c2a42a94615118b6b8cc7d002415923ca104ef86a95a4ad05c8db36b9
SHA512 903c50c39160e40920bdcce0dc337e83b03bba00481f82ebc8ac1cf6927ebfaa75b1f9791038a71632c5e79bf7331bbf7468cc626e303929801c08f54d092c8b

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\locales\zh-CN.pak

MD5 20b6d54de42cf9c56f0a85fdc27d82e8
SHA1 cecb82b4afe8544876f443fcf578453358ab59a8
SHA256 4140caf95939f116993ecd8bc5f7681991f96735d2397c9c7b4c66e3013eed24
SHA512 646af407dfb85863f4555961f37f706c18b5c1e68b3111eda9f9b531ba2bb60cf67211ad634037b872156f0ddd04d50d68c49173a27a78ce59f75cbc2bb6c3bf

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\locales\zh-TW.pak

MD5 03ade5ba27cd3ae9bab6ab3a5cb721c2
SHA1 a747311a5f6c2e0e535efd52bc96f3c4d12d5c3f
SHA256 0c4abf7a66026068cd4f458d504cb04f3e04cf9fae45419ddc2d592f24899a2a
SHA512 33e122328773039595248a85dc0940841a1e273957ec9a4e175871b3ada48008b608ca6569b495275abb8e2a8844ee0c4d90b48af915a3f5a6aa44f3c37e51f3

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\app-update.yml

MD5 753871ff73d231ba73614677412ac14d
SHA1 789f696b41591498eec4fdb0db78c68c6d59dfd1
SHA256 2090cb7c9033d9cd1afa2275ede6ee080aa7bb97ff741e3e449af97b177551ef
SHA512 f56bf2114cb84f0888eaec4d715bbac5653c5dd038b3bdb07282a9a560b20efc590909428a3f7b0d95bdc3c6aa9d2f37c8810d07f737a8b290ba0e924c7be1f4

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\app.asar

MD5 9a6fee0ef9e7972344ef3b2315bfb853
SHA1 ee5bc71baaed68f28392e8d4b570408abe0c8071
SHA256 320bc0f0e1310c128d0c7df93a5ba1e0390a306d6610888810a917794f49d382
SHA512 05d00ebe9e278a910af687ed4bb7300aa57ea21b85ac12cb4b0d71641d420f3a0c518f1310846e71570a3b7b09834335431f874154f2abe8f2e760064dc378ec

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\assets.d.ts

MD5 3474b89e956a0f104c48700caf1f35e8
SHA1 061fd896f9f418a4db9685fdf4cc4646bbd7018d
SHA256 498a5a3ecd170f99e34ef350c1150397a56461ca7f9961d2a22890833eec2edd
SHA512 164804bb6b9142dd423f75e3f75700813a154f4a41a271aad4e191fefcf4a8d32d4c7d5972cfec6a7f4753ea44ea5dc03d4fbbe0c28cf00af47729b2f66c3ca7

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\entitlements.mac.plist

MD5 9920b60c89256ceca825062dc9c53c53
SHA1 0f1d847ef4067022c69fd82c135f3dfd2e4d352d
SHA256 f4b2891dc2b1239191cecf7cd5b9a36ea4edaec33c1cc091e09380d669e8fb63
SHA512 93ef0a66d6aa8091af3ab8af4b1ced502ded11f658aa77b6a5fe9e3d36bd5d01231060a0a656ea627c0fa32313b7a3438c75e1eb96f4f07692ee4d0f53ce9a90

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\icon.icns

MD5 fd27b269f6bb7c7c28d0f8d330cb8b78
SHA1 5436360c72d3bcf03099b91904d6013e4ef9098a
SHA256 c32d173e12c75d85532de8bebf8a65389ff352e38623cbcb5d90614f979b4a1f
SHA512 647e113d40973b96377ab818a3ea3f269613da29c84e0b5649cd024c9ea1c2d63235dadd97bc9490fa46706a2f39c2957360741e85da78df96c74cc0144cccb8

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\icon.png

MD5 bd8d487e261ad75074f94d065a1fe5ea
SHA1 5fed02a831fa006d24d2053f271817969c411539
SHA256 5155e83d66a6c33b38551a7806b2ecedf4c3d6022811c18e3a90a542e725dd20
SHA512 5ab2b0b469ff0af0cd8e26a6767335369ca8b73e7b9f574ba38458b1499978242dc88fef5975ffc6417335c7931dedfc91158e70018982adb92c23d776dd1de8

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\icon.svg

MD5 6e21449b8640ba1dcf485c7f4fabbd2f
SHA1 1a50ae72417ef6bbf868f6a3fc75d1a6a4d8cce7
SHA256 08545f22c3bd00fca027a79a26f605c815166a0f18ffe41ce706b5cf68525bd1
SHA512 754a63e1e04b8a4e1c674c4e7fbee91d025a10010cd5051d2aa22d303e7ed5de1a404833a9ab2f9662f478bc269424672ea3d172ddfc4854fc18620719a5597f

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\icons.icns

MD5 158e222cd935bd0896c0ae9f487ff802
SHA1 608d0f248deb75705ff42c3143f16456debd9307
SHA256 a62384102c23e7dd8e715a671c75bae0b66d455088cd80c957276a97915386dd
SHA512 1f166bbbb73ae64575b0dc6359769cb16095bbe49b3f94a6cba9cf5ac433e62e3ca1779ce7d40abe8aa1a2b8dad4fd0bfab4fa386ebd8acc4dd86b78c88bfa9d

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\icon.ico

MD5 ba449c2f602dbee8ccb754ab9ccb013b
SHA1 b61391be537be84bb22140a22d43fbf96472cc55
SHA256 8557d5790488957917671bb447fa41248961cbcf60395023d700f4b431e16db8
SHA512 cc5ca1fc2844ad01eeb5dc50d469427a6a4c18ae54c5732e8cb9f20be5667207330f870d18e681503ae2bf9c6c94a03eac8b83d8d32e344101566a933405b885

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\images\mojang.png

MD5 c87524b65e064c564d97b782cd5e49be
SHA1 439e9d6ba008a53015bb35dd4c757f68a27035c7
SHA256 ab15f46745e9f79b03f2dd414db0692c43776297b416c508dfb478f3fc31d517
SHA512 4bc2c07479aac39b2529c6639f7dbbfa6866b10dc2aee055b549f8d49e6609e68d9073166169c304cea65784c45c18ba9bc3a751fdefeaa0e8df1174e7ec2b9e

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\images\microsoft.png

MD5 4d388badb05661ef1163991b0d40a55e
SHA1 ae4fea8bea799d9e012946112081e8441ddebe67
SHA256 e3345ae5060dcd5a7e5b9e61735c8b66916152831298707a5b809e5120a88be6
SHA512 87dc0b07479234ef61c4b1a838ee629dfe4d62c6c02337182f561fa6209f82c5070a3c0f072e22030a3c8c21dc551f66b6d05d3a2809d0f5f3b6ca7afe34a846

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\swiftshader\libEGL.dll

MD5 be1b6fe26a1b5a3e1302c26ce5ce53f3
SHA1 c3cac08e89c4cc91eae1cc87e33a1dea723f1d78
SHA256 162abe61314e720384d8cdd43190a89df8a96de52f3ede7b6c58998f615d8546
SHA512 07dca111391dfb6b7e90d4be02071bc625128eeca0b9d9a3cebdc7916baec9f95cbbf906f2533befd6b62b9bbc69488ffa720f8d40c9710dd3b7d540d9dcaa55

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\resources\assets\images\grass_block.jpg

MD5 306cea0ed44b65ad39b655b390cd7193
SHA1 f6eed63cef5c6753e43becc09b337119779a12a4
SHA256 d41c38b285922cea8c7fff69ffdecf536a438b080d1cd7de05dbbda8d2c8edf9
SHA512 8ca08690130c679e01b5e29781b2e113bcd24aa80875d39ec6d3800f6119a36c4ff029c8c062d5f9fde8b049e0556e2e1083e821236862563a4699a0c09565f6

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 1e401ccda5b723ab8a595a54f7d2531c
SHA1 127716680dd16f776b19c2306d716935e54c5100
SHA256 c167a458174e2a280c39d7af31bd109e8e2921032a687097b584653adc33ab21
SHA512 1f2f35021f338aa7c5a0ae83c196217fbca6b1d017ac1bb4f1eebb93bd6e18c5d74c1a14bd4899d7a91d054b0139b2c4fc3271c35148ad1d8b71139aff0132fc

C:\Users\Admin\AppData\Local\Temp\nsf52E4.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad\settings.dat

MD5 4599dd1434c2ab0ac8cd5189f5fb6c34
SHA1 da491158b3682e48042340cdf485246a0f12a659
SHA256 9827f479e27213a6b51115799944669e53a97f314e12d45c1cb3917618d201e7
SHA512 3be8c0b30b7370d38b5b17d724d7a895b8f2d0a15939514bc1c1fc2a74c1f1839b7146d900ea0c869f25fb48dccfd3f612d770d7582f4f1866be42955f7315a0

memory/2288-885-0x00007FFEE96F0000-0x00007FFEE96F1000-memory.dmp

\??\pipe\crashpad_4020_NHMSPKLLFKWQRVMD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\easymc-launcher\logs\main.log

MD5 e0df7aadbfe41e6d510d233e61292997
SHA1 36ec074d4524b2417a5d26bd8c890b76f696544f
SHA256 c0a261bf84ce156b7bad44a9499a603f8a4a045d050a6e1008a81332afe4648b
SHA512 b13122f99e69fab0d5a72e13cc3eb498b499174d95002dc754fcacf594bde242990ade4e6532cb2219e3a39a7c040069716e273003742757bb98cfe0e17362a3

C:\Users\Admin\AppData\Roaming\easymc-launcher\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\easymc-launcher\sentry\queue\8c880c451a664229a1f2f22d77d2287e

MD5 2528fdd28cbb28f9184019099b2de1c9
SHA1 ff9a8561a62a8fa596f58a9e3e458b299eefb6be
SHA256 4606ca518f0c816681b00423ca87b7315a226a6a58cca39dc7b798fd92a0061e
SHA512 7d74701af291c907b2a2b695f8cc18d85ee5d4fb6d22c14cc247fc01820a51c25a9ec1eeb7e1f148f38bf3ea82e2466b66fe650ada5780da42f42062cabe735d

memory/3584-1017-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1019-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1018-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1025-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1029-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1028-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1027-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1026-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1024-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

memory/3584-1023-0x0000025FD16C0000-0x0000025FD16C1000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

macos-20240611-en

Max time kernel

149s

Max time network

139s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/7zip/mac/x64/7za"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/7zip/mac/x64/7za"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/7zip/mac/x64/7za"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/7zip/mac/x64/7za]

/bin/zsh

[/bin/zsh -c /Users/run/7zip/mac/x64/7za]

/Users/run/7zip/mac/x64/7za

[/Users/run/7zip/mac/x64/7za]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.16:443 tcp
GB 23.59.171.16:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 92a8614e598c1853fdda2fde75ef2504
SHA1 0c9a40fbaaccc713338b5cee815c4eb57125ff84
SHA256 f4fa58087ac1a015defdbc52f8216269e68833630cb28a2ba3f8c32b03d8739d
SHA512 e878eaa713c249f9ef2d7f02274e78fd5ba079cd0457a789808ef28b1abf79e968f81249d79f3a09d24aeeccb0ca1c0b2934b4dd7361d7f925bd1e7da62c51c8

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:29

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 4832 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4176 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4832 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 4832 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x454,0x468,0x47c,0x45c,0x49c,0x7ff7f9ba29d8,0x7ff7f9ba29e8,0x7ff7f9ba29f8

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1528,17494923046235160232,14645142107294185008,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,17494923046235160232,14645142107294185008,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1920 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1528,17494923046235160232,14645142107294185008,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1528,17494923046235160232,14645142107294185008,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3396 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 api.easymc.io udp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.74:80 apps.identrust.com tcp
US 172.67.149.107:443 api.easymc.io tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 107.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.4.4:443 dns.google udp
US 172.67.149.107:443 api.easymc.io udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 172.67.149.107:443 api.easymc.io udp

Files

C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad\settings.dat

MD5 da3567a99b89715c1ab716fea9466e2b
SHA1 a682cb23a50a57a47bbd5378d8ec9ae8f0de00d1
SHA256 8b0b4bf96189f541b85320c8a5f4d5943d4871c2ad3074faa0b01a01db9c2839
SHA512 a0af33fd7272db84d113363bf0111cdb4676505882875daabb0b58c80635886ee876d5a820e3055b0642ef9263c8eb06247448234e71c6280a8739880273cdc4

memory/5404-6-0x00007FFDA1440000-0x00007FFDA1441000-memory.dmp

\??\pipe\crashpad_4832_MZXONZHYBXQUXZCO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\easymc-launcher\sentry\scope_v2.json

MD5 4bd063cbd868a2b0eb3db0e07f916f27
SHA1 cf7ecca4c40fa7ed2f476d37d57e7ad1a5f95d1f
SHA256 8ae68673ec6d68f393b97e3a5951cdb1daa0afbbf738a6086399fa511b368901
SHA512 2a864e317027a055fb240ec44fd8bb2ea636143263136c583112d3cfff5810eafd86838c231ef510b5c230ee36ae0b3b5a40748c26f7e2a4ec7c22fbb73dc42c

C:\Users\Admin\AppData\Roaming\easymc-launcher\TransportSecurity~RFe59819a.TMP

MD5 071f6df04b7d3125d32215804b5a66ac
SHA1 3e0941f62229e74f3fe97b7b22c3eaa617e04e09
SHA256 1e4ef679e70825d0ebf434d2c39733d60cf0d60c336978bf8cefcde455f009b8
SHA512 fab25946290ddeb90a0faab007bfca979ff23c2b9a825954d32f1a3295527117078f6ef163a84b191065269c1501846c8f7e9ba920d086a9a62c77b64683eeb2

C:\Users\Admin\AppData\Roaming\easymc-launcher\TransportSecurity

MD5 d4436572851cafe45506ccd661d2b5f4
SHA1 42e28446a7e7ca368097182c0639528bdb403f7c
SHA256 457445a03a2e016a1514547d29347c3db660c211325b7288175ae88ec2565436
SHA512 b01b633c38b4c0b327261ca84b0c716ea9c02bb50b53b290d5c52b3326340df5e18b8213e5a5f8cc85ec899f38131418856e040e4144f8b43dac568d204977dd

C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State

MD5 daf6da1f8449e24e81629586dd13a604
SHA1 42efb6338bdf91ae8731a796d57a46f75eb5af5c
SHA256 b01b7ce6b518f013289292650a01cff7d5651b39946d9d905e2a7746000bb21e
SHA512 865a72031538ebe4d3283f311a36329aa979848e9c5a72115d604357ee47c631986ef50a10b54cc14c708db39f8b4a642278368d5bc44b0f1e14c2f3030783d6

C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State~RFe598226.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/4544-134-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-136-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-135-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-141-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-145-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-146-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-144-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-143-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-142-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

memory/4544-140-0x0000028DE2500000-0x0000028DE2501000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{549EE8D1-2D76-11EF-A04B-4EB079F7C2BA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501b4a2983c1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000009c3244bc35300fa1ee3d132bcb6c7560f07d75668ca5d0e3ebc5cc08eca5771f000000000e8000000002000020000000ed9c30d3a97e6a47e1f5bc89ace2c4606a5d0bd718236efb6f098f883dc4953b900000007fd96471f496d307fcd915b45d8f077cb249dc115eb0490ac95c0aa06cc780762480b410ff72e421b93618fa7bd0ab003296583ed5501ef1b222869041f41aeb69504f5a475661ea9cc86f57db3da53ac8cefc6f9c5d38f2ae0c7b9495a403953a794e495b1692eeebb3456e12a4af44058be1e8ef248bd9a0cdec20cbc5b5d19862947405062b6e684418a7a214e6d1400000003a10a83ba6c7817a67b6ae9a623fec12a2509566273b91f6088cc68a059698cc9277d6aba4a83f68a7c655722ba762b2c95463e6d58c6a6f6d832306f53ae1bd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424879062" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000081b970514f5c9f467ff5ef5e3e02e5e7da04bbc1b2553cb091fc9fa2333bab41000000000e8000000002000020000000c48141b6a957524499c2c48c55b8d74153a9dfb6e5636f6cffd639bcec2e6b6e200000000d44c77e187edca74d2c25c3019732bb6aa4bd6e65ff085cca2b41ee62051d114000000062ab74896ae381f21ad3cb8ae53552e9a235a1525876ff05a972c9281035374abd08a41dcaf45dad6eb2fa9df0e56fac54c9153c397ebc8812d04681bc16d5c2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:29

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 220

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20231129-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zip\win\ia32\7za.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zip\win\ia32\7za.exe

"C:\Users\Admin\AppData\Local\Temp\7zip\win\ia32\7za.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:29

Platform

win7-20240611-en

Max time kernel

127s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2148 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2148 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
PID 3020 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x2f8,0x30c,0x2ec,0x300,0x304,0x1475029d8,0x1475029e8,0x1475029f8

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1076,12885832042759321462,18246161002487834179,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,12885832042759321462,18246161002487834179,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1340 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1076,12885832042759321462,18246161002487834179,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1568 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1076,12885832042759321462,18246161002487834179,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1208 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com tcp
US 8.8.8.8:53 api.easymc.io udp
US 104.21.29.153:443 api.easymc.io tcp
US 8.8.8.8:53 api.easymc.io udp
US 172.67.149.107:443 api.easymc.io tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 api.easymc.io udp
BE 23.14.90.74:80 apps.identrust.com tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 104.21.29.153:443 api.easymc.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 172.67.149.107:443 api.easymc.io udp
US 172.67.149.107:443 api.easymc.io udp

Files

C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad\settings.dat

MD5 82d7cd6e5396c20a254e2b80b6994c23
SHA1 8161a743d10a020fd73408669cad8b38cf157d1d
SHA256 d92733dbbb638a43c32cb77d72a9adb196fda9a907af95cfe87b2f454ebb8dff
SHA512 143e3e4e7b7c385093f56b652a1c044020451d8001f14060bfbc92d4d8795508cec0080862b04288d68acd927e4b3f51e6586090124661f5681ba3dd839660d1

memory/2308-6-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2308-38-0x0000000077420000-0x0000000077421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAC58.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarACF7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e0a7f2df0df116d5599fa89d9fcea13
SHA1 9d36ed117113127b2537246040a8fc5835eccd35
SHA256 037c0da14537323ba0850874b7e03a081884d153c897aa32af68d385d0ca068a
SHA512 fb74bf1b259d7014150ad4b2524c57d7108c292911af903551cf992a743f8e552a1a3029da71bbf47ced47c7a223f543549cd866b56992ab26e3443f7dbfd5cc

C:\Users\Admin\AppData\Roaming\easymc-launcher\sentry\scope_v2.json

MD5 18c7c43e9bb566e169a7bb30fefe9841
SHA1 4c28208feab495d50bbc70d00c905205bf9c9ce5
SHA256 561e384ecb74fb531dfd79af714ad1a17a998ad1c270affa365e4601580d21fe
SHA512 21d835f4d71176f543638207f76035399c94fee0b5b24112d4a464cc423dedc6a1812b20fa5fa9cc4d00ee761678253da4bf00d9c892bd8bc9fe24634ba52f54

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240611-en

Max time kernel

130s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2984 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2468 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2468 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2984 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe
PID 2984 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe

"C:\Users\Admin\AppData\Local\Temp\EasyMC_Setup_v1.6.14_x64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq EasyMC Launcher.exe" | %SYSTEMROOT%\System32\find.exe "EasyMC Launcher.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq EasyMC Launcher.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "EasyMC Launcher.exe"

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x2fc,0x310,0x2f4,0x304,0x308,0x1472229d8,0x1472229e8,0x1472229f8

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1048,10582484457668269178,3096515656141233891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1056 /prefetch:2

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,10582484457668269178,3096515656141233891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1316 /prefetch:8

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\easymc-launcher\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1048,10582484457668269178,3096515656141233891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1516 /prefetch:1

C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe

"C:\Users\Admin\AppData\Local\Programs\easymc-launcher\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1048,10582484457668269178,3096515656141233891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1200 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com tcp
US 8.8.8.8:53 api.easymc.io udp
US 8.8.8.8:53 api.easymc.io udp
US 104.21.29.153:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.73:80 apps.identrust.com tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 172.67.149.107:443 api.easymc.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 104.21.29.153:443 api.easymc.io udp
US 104.21.29.153:443 api.easymc.io udp

Files

\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\chrome_200_percent.pak

MD5 6a7a9dee6b4d47317b4478dba3b2076c
SHA1 e9167673a3d25ad37e2d83e04af92bfda48f0c86
SHA256 b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9
SHA512 67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\chrome_100_percent.pak

MD5 4f7cf265db503b21845d2df4dc903022
SHA1 970b35882db6670c81bd745bdeed11f011c609da
SHA256 c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16
SHA512 5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\ffmpeg.dll

MD5 7977f3720aa86e0ec2ad2de44ad42004
SHA1 04a4ef5ccd72aa5d050cc606a7597a3b388c6400
SHA256 61c6bd5fee2c150265241a15379c4053b174b1cd7687749629afcdbd1264a02e
SHA512 8ef3b8f506b5ad7241b96d381a501033266358fb3756a457c46ed499547db1232012f849838e65f916129fab1a0d74711e9851b8e0669831acbbf4c3494e492d

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\icudtl.dat

MD5 2e7d2f6c3eed51f5eca878a466a1ab4e
SHA1 759bd98d218d7e392819107fab2a8fd1cfc63ddf
SHA256 b62b7240837172959299dc3be44fffa83dc374353154eca1612e1bde330aa8fa
SHA512 0f1465e8efe32b0eaba628a30bbb21254a05d80f4407a1434120a55fb928cf575b3879e1b7cf754cd19b23c262ae715fa84a8049073563cb38f1855be7db1124

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ar.pak

MD5 3a8a7a08fedb148ebee6d3300356e37a
SHA1 2e9ac1ea8b6396b909f823486538d5640ddcaa1a
SHA256 43636fc76a2da6ab562c4c3bcc1a5d548a169dc0e884484fb7e4341814c44c78
SHA512 7951829cc7aa385bb5f8078a7af7d4f0b49fa8c05eecb2808eac3fb0e8700c63f92db888ad64f526d992a14d54948a6807bf06f9fb688aecea40311eaacea181

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\am.pak

MD5 ebe0e7e0c78fac281a3f0196da22cee9
SHA1 689864d898905d43b8a70bdf37c5b339daaf48eb
SHA256 08d86a45ff0a4b21e74b06509c376ab0f907cae72a3e0cbf5c17fc275d10ac5d
SHA512 89b6603e5db8ad53ee5623c2c0f7e81194278dbdf5ed49c7480049006b20744fd4642743c2b4a264cafa87e7f787d6d6cbf26f12ff2b851333b3ba7541ebd933

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\hostsremover\EasyMCHostsRemover.exe

MD5 dff1888306d5036e9e831d62d16412ab
SHA1 2597f86a16af51f61f7b4754fe290a9969e85abe
SHA256 136b6ddebbd837f775a10425fc0a6eaf4a46d32473f372208873cfeb2f64a28a
SHA512 c2f984340c6d01531151b6ff58d2e5b47740b3faf309bc28c6349c4dd2b1e8715e24a69ee238380bd3ffc52e7922cf6c9a0c1ab685f449dc7e13054383b1de62

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\7zip\win\x64\7za.exe

MD5 b7b7473472c9806bee3e7ae6c1adda23
SHA1 2dc03597a0d9c7ff97250f90d47bdeaf9b5753e7
SHA256 b0cfdeaf429f5cc53f85123dd8f5a5feb92c19d31aa34df257edf9a26be05f95
SHA512 544949f1213817599fdb09dbb9834aeeb370b3f6225c3d835a29797b006bd36aa37b8a246a22204277f40d3865a01bc8d029a531d17d6bb43d9ddd3db7370580

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\7zip\win\ia32\7za.exe

MD5 dfd1cf824c781069def1d239a626d43e
SHA1 bbe24cbae89166de829a7cf91eebfb518d8f45be
SHA256 31fd52f8996986623cf52c3b4d0f7ac74a9dec63fc16c902cef673eed550c435
SHA512 0413adecc5560ddb18133eec70b3a717d82738f304bdbe6eb6e2dad9ada57314c60bbd48ac0aa948af77ae76f7d522ada4f6089fffab88f882872c56bd12ca20

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\7zip\mac\x64\7za

MD5 335361d7f6faf13cadbf116bfdb97226
SHA1 d6cba0f2e221d1061261767ec38ddd7c550015a3
SHA256 434075f6ff5ea9250571033ca06b95d464efcad87a528dd0b224816c86b1a444
SHA512 5fa86f6ec50e0f2fa87ec7cfa0e98cf2bfe158035e5af024e017cce4ddb33aea631008e43328e6049e0f95e8c63dac8b1e03d3c949b34ad2a3e94ab979cad0e0

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\7zip\linux\x64\7za

MD5 6a2e4039a2f56265369f22ecb1a19fd5
SHA1 b0ea59484a4827d7d9a0a27a5270310ef07e61a8
SHA256 afc9448bd0cc2eeda131cce313ef4994f9656417e0a15c8465fcda9ca859b280
SHA512 796188635271cbd7dbd6a7f37cb4d4d5b394c8a302dc62008c40b4be507382925eeb8a550ca11e81c791d5dbda238f95dedecbdd0daddf84907c4fa3a9b1ca59

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\vulkan-1.dll

MD5 25afbdf6701013c57b19b92225920915
SHA1 009300dd4ab3b81794388ce7d126ae90ff97535f
SHA256 22bb65dd206ce7ee10c05557933a04a04144e1a8228d2a9d1e9d704b0b1b2f7c
SHA512 575e38b60948cb704c355ba9cf3457f2693c30f95e85f10f795e759652bf4317e18ba480bee8aafcea9108415e8e58f674b22c7513a9fabee765142486919a0e

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\vk_swiftshader.dll

MD5 77f7b4f46cb3e06b53729fd1e562dfef
SHA1 223c09805220ff2b5c1dcbdd5c0396231ea34f11
SHA256 a648cd4671b12b469c4d2de20c2ba2429c9388c0f9d4b3d9d2244853d0e5acb5
SHA512 6be9afda9320074c5842419cf8493d715ca65a3362d368d3a35e35a47d36f8197b0f19877485b41a06e21148613a77bb6275b0586c4a38da8a25efe6b5a6b571

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\v8_context_snapshot.bin

MD5 a718c9b6e5e6563e23e450a0d01b932a
SHA1 95ccb1228f024f037259e759dbac464f3c27b8cf
SHA256 315f5ed966a1f3a89c94d1b78b9bf70e59a2869601cf6551b2c1fd3e3b008447
SHA512 b04512e95ab3997bc7d5c65e2f526e124bf1895b139eb2b6c6c7b4a4aa381cd408eb2bba01f44b09b1936d24752baae288f24a32ed84687d3e7e0681b5387d01

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\snapshot_blob.bin

MD5 c497639990ef3d4435fd721e8e855c9a
SHA1 85e7df364daab70730c756b8e24e81965d5a2255
SHA256 5e15a82831965e521bee172e6878806bba51d410d1fdf1b4eb01385d1954502b
SHA512 63f2514d585dd7d3b988f0aaeed8106a06b67629eb54f2152e8b4a24276d9f56fc4650c8770d0ab44b4c57ca458856a0cce5f26f6226a56a807b38ce5615ead3

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources.pak

MD5 99c5bf0dcd43f961aa3e177f7dc42d42
SHA1 5618abd2e7b45c50400bb4aa0c455bb0b28bc472
SHA256 75ff04d991c2a203105525a1ccb200a461717ce7b86ada4be092fe903d95cdc8
SHA512 2e508c46eb266301f42ee6a7d63494f3856b422df61d0b605096bf4fc4943239d3fba15161adf8cb1cdcfd3bea8608102a0abce636999cc2a9e01bda51cc77ae

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\LICENSES.chromium.html

MD5 4247afa6679602da138e41886bcf27da
SHA1 3bb8c83dc9d5592119675e67595b294211ddbf6e
SHA256 bf59a74b4404aa0c893ca8bbe636498629b6a3acdff4acb84de692462fd626e4
SHA512 ad3103f7fd32f0ec652bc7fcb8c303796367292a366037acad8e1312775cdd92c2f36ed8c34a809251ad044508e1e7579b79847de61025baf8bda5ad578a0330

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\libGLESv2.dll

MD5 8c93e19281992a00993fc0f09e272917
SHA1 3a2d12bc85f829775ec8c5c1f8e35a783d37b7a7
SHA256 1ebc1da8d7e463a5d3dc127a632989ef35cfbd94cb18bf1f8ee790f172d43703
SHA512 c4ec65378d83e6645c9128825853de2d3e82c0f430cd28fdc761eaf2d011267c3794b7c1dcef017750323873d7fe976656eebf9ed7c03582741d43738f3e0c7c

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\libEGL.dll

MD5 7b77074945dfe5cf0b1c5a3748058d57
SHA1 fdea507ac2be491b8ad24ddc1030ea9980c94c0d
SHA256 994972c1bc515c199552d50e97ad217ae15a3eed16db06181c7df50e743e8a56
SHA512 d637b2c7d75723601af099317a39820d3edbd3cea1e1cb20b702deb6ca7fdb0b67e1351cc8fee1c7badff957fffb848a8dce18bb25bfd60c81a588da4f68c1fd

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\cs.pak

MD5 f125738776a9fb8dbf25311fa3dadbcf
SHA1 3448b58d4810e69f5c1eca4e1484308c3ceff502
SHA256 5d5089718677f9a4e677dec72058c376a5829921cd523ecb919d0da7766d3cd4
SHA512 ca5300e5fb73ed4ee8c108e875c66ce7f105693f3ba78cb00f33218febfdb3ea27fe26f118dff3fb2e4af66f722f8348760cb576aba48887be25fdfae4991776

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ca.pak

MD5 53e3fb38f84f60b98d23b337e4f03f92
SHA1 42e435837dd36872d2a413518a299cd293ff8536
SHA256 b00bd41c1222b3ea078df5b92cec1946e41430be241d0d57dc9baa4c70c91f3a
SHA512 98d0328e7370b1fec9e15ad0cff9e1353686fc581e3df9a8896e3c2e62ced044c4c51ea63f35ec8b7eb3e7df5c83ef5157468979b7f20e85480597042c1ac192

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\bn.pak

MD5 ee25e9cf28fdd35846d8a9b3c4220eed
SHA1 702342cc207ced1bb585195abcf263cbc4ea0069
SHA256 9994b9832bce803bee8c48a8176653099df7768074e3c54d09a18593376466b9
SHA512 2b703cd07bacc9f70e36844f148c980cb112a806b4ca11f692b9bbe6995fd5636eb9bdc84c5cfaf79790dbbb1ecf7cf2b61a7d6ff89311eb4907c586e20b7dbd

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\bg.pak

MD5 5ed6adc6158f554e71bdac7dc9731b16
SHA1 394c8396c566d2b92cef881c332624be812115fa
SHA256 0a3e79a6d270d212037ccb5a8730b7abfc45c6e9175dd7e17d997daed0985726
SHA512 796f107698e82dfad9ec8d2ac1fc3f79b1f3a339a06eccd783dcd262ddb7399f8e3c093799f16640cf7a4488f1d2eb04ba6b7cb14ac9e9fcf87488cb8305b35d

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\en-GB.pak

MD5 074d3dd44706502de7c33e791794b23a
SHA1 564a73ffad9232052c692eb94f560d6b17227c47
SHA256 9c3954a5ca2cf126370a1152e9281f41a7ca97c69293f556a2c79ea6729324ae
SHA512 6e1296d04b16534274fa438643ecee6e37d17ed935623f73d5a8f3510a194e0efda9ca60fac8d51d25763c4818050e23c306f9ee18284b8600610d14f7768d98

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\fr.pak

MD5 e609419893f1d885a2f17f94805a441c
SHA1 31083ac114fa4077a7da7c796ab3744873fb893f
SHA256 8d71c36d04f2d6062458aa2614f7ce223b2ee9b4665556803f764f384b191091
SHA512 77f965f436a009a5aacebed3cc15adde5a1054e1c699b8a50b947a7e78a97cf43317d50b0ab7a42532c77d320b7393007e47199f31c58f7acb6f462f98fdd4c4

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\hu.pak

MD5 ae13d7ddfeb82df9950c71a4ea0bd10f
SHA1 7b55315628060668f444b110031b1fc4715bda11
SHA256 17758e2bc746f6d770fca8969ed0aa2d00658d68792d2e8bae94d7b58665d83f
SHA512 f94247fecc4fda5bdbe9732f151cdffed337eee01f59aaab6e6452c570a549dfb87c0528484c1879a04af134ac883a21043c582d0a642e185e4e64e3aff830be

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\lt.pak

MD5 02e9c88d9d5e58d135c9a92effcce38d
SHA1 92421a5fac68d506fa904075ea7cf39a3da8efc3
SHA256 38ad40532287da53fcdb6076b9cdb841bbb4f30162681707295bcab448149e65
SHA512 f0897d62e81eb6e2c56cf1a5b5ad5124521c345f70cab841071c7b70b16130984700d694a32dfa010460244d8b520ba1b217ffd76f75c074b5b3a9ccda26b02b

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\pt-PT.pak

MD5 e9f8bc9fd1e845551fe3bb63c9149726
SHA1 0bfbe46e8ffd62493c019e890a30ebc666838796
SHA256 50cadb4da4e61fc335d145374511c34e5a0e40f9c26363614cd907cc7942a777
SHA512 1d3761caadc3ac750c0a89c64db472bcb0764fc1c4b1108a9443fa71633ec7fdd945120a6f05e76221d9c58103cc9865b4857877d57d60b623f92a0235ed15fb

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\sr.pak

MD5 f4041623ce5e06d2dea58d532edb120a
SHA1 2d7ee3ef60b39e3508427c7bc12e046d7bf5e928
SHA256 f2f80d7325d259811afea1e7648c42d3ef3eebfeddaec27ee2817f4e68ab541b
SHA512 18691f4cee3eeaa2305d1c978d803fdf757d9c4e87e88e36d7b1fff482cfddd820568b39a1108065f61dd2cf10d7219c27813aad4d64e71695ab91084ec3c694

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\app-update.yml

MD5 753871ff73d231ba73614677412ac14d
SHA1 789f696b41591498eec4fdb0db78c68c6d59dfd1
SHA256 2090cb7c9033d9cd1afa2275ede6ee080aa7bb97ff741e3e449af97b177551ef
SHA512 f56bf2114cb84f0888eaec4d715bbac5653c5dd038b3bdb07282a9a560b20efc590909428a3f7b0d95bdc3c6aa9d2f37c8810d07f737a8b290ba0e924c7be1f4

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\images\microsoft.png

MD5 4d388badb05661ef1163991b0d40a55e
SHA1 ae4fea8bea799d9e012946112081e8441ddebe67
SHA256 e3345ae5060dcd5a7e5b9e61735c8b66916152831298707a5b809e5120a88be6
SHA512 87dc0b07479234ef61c4b1a838ee629dfe4d62c6c02337182f561fa6209f82c5070a3c0f072e22030a3c8c21dc551f66b6d05d3a2809d0f5f3b6ca7afe34a846

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 1e401ccda5b723ab8a595a54f7d2531c
SHA1 127716680dd16f776b19c2306d716935e54c5100
SHA256 c167a458174e2a280c39d7af31bd109e8e2921032a687097b584653adc33ab21
SHA512 1f2f35021f338aa7c5a0ae83c196217fbca6b1d017ac1bb4f1eebb93bd6e18c5d74c1a14bd4899d7a91d054b0139b2c4fc3271c35148ad1d8b71139aff0132fc

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\swiftshader\libEGL.dll

MD5 be1b6fe26a1b5a3e1302c26ce5ce53f3
SHA1 c3cac08e89c4cc91eae1cc87e33a1dea723f1d78
SHA256 162abe61314e720384d8cdd43190a89df8a96de52f3ede7b6c58998f615d8546
SHA512 07dca111391dfb6b7e90d4be02071bc625128eeca0b9d9a3cebdc7916baec9f95cbbf906f2533befd6b62b9bbc69488ffa720f8d40c9710dd3b7d540d9dcaa55

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\images\mojang.png

MD5 c87524b65e064c564d97b782cd5e49be
SHA1 439e9d6ba008a53015bb35dd4c757f68a27035c7
SHA256 ab15f46745e9f79b03f2dd414db0692c43776297b416c508dfb478f3fc31d517
SHA512 4bc2c07479aac39b2529c6639f7dbbfa6866b10dc2aee055b549f8d49e6609e68d9073166169c304cea65784c45c18ba9bc3a751fdefeaa0e8df1174e7ec2b9e

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\images\grass_block.jpg

MD5 306cea0ed44b65ad39b655b390cd7193
SHA1 f6eed63cef5c6753e43becc09b337119779a12a4
SHA256 d41c38b285922cea8c7fff69ffdecf536a438b080d1cd7de05dbbda8d2c8edf9
SHA512 8ca08690130c679e01b5e29781b2e113bcd24aa80875d39ec6d3800f6119a36c4ff029c8c062d5f9fde8b049e0556e2e1083e821236862563a4699a0c09565f6

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\icons.icns

MD5 158e222cd935bd0896c0ae9f487ff802
SHA1 608d0f248deb75705ff42c3143f16456debd9307
SHA256 a62384102c23e7dd8e715a671c75bae0b66d455088cd80c957276a97915386dd
SHA512 1f166bbbb73ae64575b0dc6359769cb16095bbe49b3f94a6cba9cf5ac433e62e3ca1779ce7d40abe8aa1a2b8dad4fd0bfab4fa386ebd8acc4dd86b78c88bfa9d

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\icon.svg

MD5 6e21449b8640ba1dcf485c7f4fabbd2f
SHA1 1a50ae72417ef6bbf868f6a3fc75d1a6a4d8cce7
SHA256 08545f22c3bd00fca027a79a26f605c815166a0f18ffe41ce706b5cf68525bd1
SHA512 754a63e1e04b8a4e1c674c4e7fbee91d025a10010cd5051d2aa22d303e7ed5de1a404833a9ab2f9662f478bc269424672ea3d172ddfc4854fc18620719a5597f

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\icon.png

MD5 bd8d487e261ad75074f94d065a1fe5ea
SHA1 5fed02a831fa006d24d2053f271817969c411539
SHA256 5155e83d66a6c33b38551a7806b2ecedf4c3d6022811c18e3a90a542e725dd20
SHA512 5ab2b0b469ff0af0cd8e26a6767335369ca8b73e7b9f574ba38458b1499978242dc88fef5975ffc6417335c7931dedfc91158e70018982adb92c23d776dd1de8

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\icon.ico

MD5 ba449c2f602dbee8ccb754ab9ccb013b
SHA1 b61391be537be84bb22140a22d43fbf96472cc55
SHA256 8557d5790488957917671bb447fa41248961cbcf60395023d700f4b431e16db8
SHA512 cc5ca1fc2844ad01eeb5dc50d469427a6a4c18ae54c5732e8cb9f20be5667207330f870d18e681503ae2bf9c6c94a03eac8b83d8d32e344101566a933405b885

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\icon.icns

MD5 fd27b269f6bb7c7c28d0f8d330cb8b78
SHA1 5436360c72d3bcf03099b91904d6013e4ef9098a
SHA256 c32d173e12c75d85532de8bebf8a65389ff352e38623cbcb5d90614f979b4a1f
SHA512 647e113d40973b96377ab818a3ea3f269613da29c84e0b5649cd024c9ea1c2d63235dadd97bc9490fa46706a2f39c2957360741e85da78df96c74cc0144cccb8

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\entitlements.mac.plist

MD5 9920b60c89256ceca825062dc9c53c53
SHA1 0f1d847ef4067022c69fd82c135f3dfd2e4d352d
SHA256 f4b2891dc2b1239191cecf7cd5b9a36ea4edaec33c1cc091e09380d669e8fb63
SHA512 93ef0a66d6aa8091af3ab8af4b1ced502ded11f658aa77b6a5fe9e3d36bd5d01231060a0a656ea627c0fa32313b7a3438c75e1eb96f4f07692ee4d0f53ce9a90

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\assets\assets.d.ts

MD5 3474b89e956a0f104c48700caf1f35e8
SHA1 061fd896f9f418a4db9685fdf4cc4646bbd7018d
SHA256 498a5a3ecd170f99e34ef350c1150397a56461ca7f9961d2a22890833eec2edd
SHA512 164804bb6b9142dd423f75e3f75700813a154f4a41a271aad4e191fefcf4a8d32d4c7d5972cfec6a7f4753ea44ea5dc03d4fbbe0c28cf00af47729b2f66c3ca7

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\resources\app.asar

MD5 9a6fee0ef9e7972344ef3b2315bfb853
SHA1 ee5bc71baaed68f28392e8d4b570408abe0c8071
SHA256 320bc0f0e1310c128d0c7df93a5ba1e0390a306d6610888810a917794f49d382
SHA512 05d00ebe9e278a910af687ed4bb7300aa57ea21b85ac12cb4b0d71641d420f3a0c518f1310846e71570a3b7b09834335431f874154f2abe8f2e760064dc378ec

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\zh-TW.pak

MD5 03ade5ba27cd3ae9bab6ab3a5cb721c2
SHA1 a747311a5f6c2e0e535efd52bc96f3c4d12d5c3f
SHA256 0c4abf7a66026068cd4f458d504cb04f3e04cf9fae45419ddc2d592f24899a2a
SHA512 33e122328773039595248a85dc0940841a1e273957ec9a4e175871b3ada48008b608ca6569b495275abb8e2a8844ee0c4d90b48af915a3f5a6aa44f3c37e51f3

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\zh-CN.pak

MD5 20b6d54de42cf9c56f0a85fdc27d82e8
SHA1 cecb82b4afe8544876f443fcf578453358ab59a8
SHA256 4140caf95939f116993ecd8bc5f7681991f96735d2397c9c7b4c66e3013eed24
SHA512 646af407dfb85863f4555961f37f706c18b5c1e68b3111eda9f9b531ba2bb60cf67211ad634037b872156f0ddd04d50d68c49173a27a78ce59f75cbc2bb6c3bf

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\vi.pak

MD5 98cb45f0555aee1985710196db17d72e
SHA1 1362238c253bc2a0e50c8dde6c95deb027fd6348
SHA256 39a130557fea33a9c899f347fa3ed455e58bd51acc0b3b4586f76694b0f34646
SHA512 93125310ade0c7029f0406aab291c35d2b7d1941f85bfd3d6071f85ff347c46e793a5ef164c08ebfcba252269a4aa84bf7a3b8779a36ee2f3da303411becc27d

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\uk.pak

MD5 33f02db055c3f91148feee375acabfb7
SHA1 ca1dc284f41bc55cf35f94a4039008df9970d411
SHA256 1968e9ed7722089330e7a8ae2c08f241aa106ed2be8948461439e6a92c330688
SHA512 ad16973e4103ced979276c6de175eb600241491ec9c441168e6375f68f8867d3f0eba422dd0ef6404208564015119f1e5e2500d5cf4ff2d8da45d713ed8c251d

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\tr.pak

MD5 4e7c047364c7c4809242741b98b28092
SHA1 4ff1b303476cb75d8190568c346e8cc2e452da14
SHA256 6a25be43b786ab853f8081c53012be623543830cce5ccd246ec040d98f22b852
SHA512 4624cec04114c15a72a804fa4966fe61303effe97039337273ed0dc99e8a6a685ca5cf5fa901a84c8b219d443f1a89e6e7cbe09eb21e7ecff662301067a6cefb

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\th.pak

MD5 96212a5191b7062d1620388acf1d09cd
SHA1 d3616b6c4649dcfa347df0473e64219ccd63e63a
SHA256 fa5f97bf433df481a6257fa39ef8dcc7961c5d5a83008b02c9773836d7bfc96c
SHA512 5192c36317c3a50696796c7286f77b1a02b7a0f83abb16ff7d47ec94281b85ee2fb29b9ddff7c4ad8b28a2a757772bd2bc726b10c19658ab672966679d391508

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\te.pak

MD5 93edec428bdaa1f84f5c9478f440997a
SHA1 e03f6bd50b0e0d888f9dfbdc87c98ff567e6a91a
SHA256 a499f50e452ca02ea476fab8954e7ff58d2ee0c6263b8a4657b6ebddeecd2520
SHA512 ae34e29f1e8d23dacca66036e355b12ebb1117ec6e5e99413c792a0dc8b772eb63578b2406730b014fb4ffe32b05dfd9fab8adcf38ab3f5b9bfd0cf054ed09f7

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ta.pak

MD5 8a1a245b43af1f174f262d8f53014d59
SHA1 655045f5c71aa2589851a66d5387d4125bbce1ec
SHA256 85d8ef6fb5fdbd1d689aa6cdbbb768376b08b03ff39f7528a3804a3b4bd82af1
SHA512 d71b73fd2b5658acf5825f142130c49c278c801fd8beb5fb2039a3c209a1214a9cc00fb6896735fa4d020bc2279afca1577f35fb0a96a315631d46656d2055d3

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\sw.pak

MD5 70510abd3079bf26caf327989e810216
SHA1 ea640cb8b3c63d71d9b3a0d377fef5540b04fe81
SHA256 a11017a3e0e7f48338d4515ec9e79c1764387232a0d9a05fecc4b594bff40091
SHA512 ecbc97397557e27e66536a97ddf78a744c104b258d40d6f31972e6e5c6615699dd24eb02144ae0d3d53764da0f83a06f561ba95bbf08da4bf4a548b0e7f8c052

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\sv.pak

MD5 773fc8c89b093c40191fc233730188c1
SHA1 28001794144bdb76f62044d57e2d52c8ae1635c6
SHA256 6aab29795a36a0234c6d447fb1fdd9011da505c348b934346a27b6a2ddb92ff3
SHA512 f9bfd3e72955104b922c34352ec16d56939eea634b9abd549d4a3342dd72f8768c85bff59814e419aee6469f6521f4f71fcfe9b8a81c1824187ba818f6d6caac

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\sl.pak

MD5 cfb094955a5a8f655ce8a598d5a89706
SHA1 181ace68b0c3be132ab73302ba7f7c8750f9adae
SHA256 15489195e92cf11354a9a02895aad2ba8f17aecb676dd77942054a4f3f0fd623
SHA512 a31e131663072c1192a4146321db5f0f457d27e14afc8ae40a92a4f255df4cd5302774534fed5247e145c73739a709dd5852af35750f35ecbab0fd4c1a612e2f

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\sk.pak

MD5 befec33f564454253ad90d6cc06ecf62
SHA1 1fa0e082c89f9aa397551421a35b7dfc941f5250
SHA256 9db30eeac7f1814158283affa0af6451c6f7966896cd6d6df8eab14a37e58c9f
SHA512 a581faf67311eb8d81b481d1e3348f579745331f87523650a4fc35ddbe6d5033e726feab0ca3911ef76a21aceabc3e2122d16333d1b7840a933b5231a9e2d157

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ru.pak

MD5 fd441a4b72397f5d76915ebcdef45aa1
SHA1 94a0ab5704e7303c6ef1c2ee5be0b6f4a52d146e
SHA256 df41fb92e4d682d47b5adf942600b4f23c1aa5274b31b844cd4c4b6f0ec86a86
SHA512 5fab517ec0141bb67b4b5ac868100b770fc0b7773b94f977af9205294da9305a2079327a4ece1ff1d9a3b3c805c8d8676c2b0505bf190d1c57c4ed0c14a1cfdb

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ro.pak

MD5 4d1ed9e347de9351454d11132c06e916
SHA1 e3734d17a579ac423ec5fdc5829a211c7b76e049
SHA256 57dc80c76c535c645893c9d3b4d0c4779aaa877445383abec79e32cf02c41276
SHA512 bd3d0841678879a24eb6f2f15c27bcb64a5d7ad171debbb51e7601a3898b830b1985b365363a01d22967969d4d4ddf89a130a5a33ff6a94cef6410b0e89f1849

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\pt-BR.pak

MD5 3b70cbf1aa47436b78a5e8c7672ce775
SHA1 ff9f2820e5782f9eae0ea1d5ede61665fa62cc06
SHA256 8b4a8a3b8741610c279283a6cb843cb274223f720edac1c73296340b02569fbe
SHA512 41e3b3264d8034edf9ee1ab696ca4612ee6ef4e8537b4598805362c4a250f81274425cfa2c9c62330fed73a683e6d3b2ff537b51d869d7da19c4422728da7c0a

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\pl.pak

MD5 41fd7c76e30b333027e86e20a65283a8
SHA1 81afebdfd62255d0b0ca508141dcd7b67982f4c1
SHA256 5de95dc2236f896e66debfe2cc7553a5bfeaa7ffea2820fe1f2f67368af84f7e
SHA512 c59132dc329ee72fa8e9e9c653da597b5fa40a6eb0a7988cf62b1bdaa646a9f09f504219bfbc5af394a12c9ab6050a39740460a3e5c3ed0946b556c33f608219

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\nl.pak

MD5 a17bff141aec095625d0420c7a609b08
SHA1 edf3746b20ff9e3bdbf09b195e7781da1f799a91
SHA256 7482c28c2a42a94615118b6b8cc7d002415923ca104ef86a95a4ad05c8db36b9
SHA512 903c50c39160e40920bdcce0dc337e83b03bba00481f82ebc8ac1cf6927ebfaa75b1f9791038a71632c5e79bf7331bbf7468cc626e303929801c08f54d092c8b

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\nb.pak

MD5 e5546ac3407546d6b786e24c7bc21ab1
SHA1 7a9e44a525ae005d0b41020c403c4e1e49d237b7
SHA256 751521cbf27777bc99f2039b987686f921cb27e02c959f6cbeb976799e45066e
SHA512 becf51540db5a0893e6f44d588be98142bab5c2a0f37c0212348e3cf39da52def2fd104c039229b52767a9345890f5768ed897b4bde5c6feccd75036d8b4f363

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ms.pak

MD5 0bb952597b170dd4dd76e9d9d546ac3d
SHA1 101aafdf6a4ac0cdba7bd88538e7ac395e715e3e
SHA256 f6721ce0d4d601ffeff011d652a9bf2518386cd8c1d2317763e37512451534ff
SHA512 46c9b63273d6ea30ee63ff230d6b5600018ae54032e04a6707f5873ebd383d0d59645f8d0b44b8ce9a4d40d5acd3453b618b9c4fd3c1b958adb5aefba3465464

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\mr.pak

MD5 fd3452d812a6129b8b6db620423adca0
SHA1 9bfe47a0e9f1843c90875f28d8873d592098024c
SHA256 c9704a3e528092ef676be4a653cb14b906e7c32424d59c8e4f22981014bd9111
SHA512 7ec30343e985f7bdc6a64fc13d50bfe58ae098b03e18afeaeb4c89073059698cdf40477f2323a52c5e8f07f37b28608c54734501d14ad6ae0c9a0f2f4ab0e689

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ml.pak

MD5 21aee42070f9eace2a8e14759526f05f
SHA1 fedd83251a3fdb1846bf0e7e49a3a78cd77fae02
SHA256 393d2dcd5c7c33945626fcf10ea4457649fa7b4c100c039898385133c26395cc
SHA512 60cc85a5a638d370710680bd39a6946d04660a0856bde49190fbc0002acf91617cfc3f3087a37cf592c047550ed2c5b73c2a769fbdffcacf4ad3ffa129c929e3

\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\lv.pak

MD5 7313fab584b7561b1fa63de07b972118
SHA1 3a44d445f57a78867d37638a80ab39add3fcaa4a
SHA256 7b92238240c31c197029d41fdffc244f68caeb8002854f65ee3125bd95643598
SHA512 05b067847a63c0419298616278678ade6a4fec4008323121ace5a09e22f6dae409494474f5a88adc703833691a7d4810546d012d4311e176fe58812f166b8ae3

memory/2360-679-0x0000000000790000-0x0000000000792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ko.pak

MD5 f21c6033fa73bc7d3358c2467c9048d2
SHA1 939f209f00e6664294872e0dc3b33a9015a2f1fb
SHA256 d19cfa8ae07f23b81c0d40d7e751628844fc1aafb83d4bb4dcbe71caecf6ea2e
SHA512 a4a4909ca56d3d924639cf1adab6d9ee512132c99c8e3dd37f2b949a1c816ab29ce81c01c658022e680344516201fdb0440abb97e577e6946e2731411674566d

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\kn.pak

MD5 90107e2353e707a6d071c9aabb5adefa
SHA1 e4dfe445ca7830b3a56af38af1d73e3cb94abc73
SHA256 9155b06ccaefbea6461f5c51e25ce25d85ca7bd557e76dae00a4d6a09a4bc424
SHA512 dead3b94638afbf4ef27e1cb5283ad2d0af73ab8996e7d2e8202ad174796121799992f577c974fc0ec53fe2b8f6fb4d37c3bef70b72c29b5b721377a0cf3b093

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\ja.pak

MD5 e720738027460b044429705f7ea1d25c
SHA1 851b59efad4ae074849fe41f40a56c5534caaf72
SHA256 c78fde77efbca1b3cc0cd12bda718d1a113bf6b6f3ed558b5c9a452dc974edfa
SHA512 08b0fd0ceff7ddfed26985bf84b54d75cead1f6fd4d5971da9e40996af6dc5fe9455c402f62e758020a6ccdb1ee0213cc2a5ddfa28a2bfb1e8064c6a4401c3a2

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\it.pak

MD5 a2b9cce245e754258ea187ceb3aa2670
SHA1 50f84fbcabea10385714a3c3a2483247ac040c02
SHA256 b72f89e5d2cacbd2db7ce28ceae35faab8c4199ec993fea64e8c78df882032d0
SHA512 5e9cca2605d4a86d4f2b39845c8396c37f88b6f1d08c8f0e2b6f0896d60754331a588d0c0fc59e9ad8fccf0d50100a2307fff2d9df784f91537b1d9e108727ad

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\id.pak

MD5 b5e4e0092bd1063e8bd68d0b539ab005
SHA1 5e3d12a6fb497687df81ed64de17b0502ea84f2a
SHA256 8d7ef1377d39fb6045c9d4b1bb064c329bd789ee33b6de530c187f1e713dd7f0
SHA512 52b535a143bc13a03804cfda2d3f2f81f036b8d24897d1ef4a657ed290ba14e43d7cfe92c868cdef6b093b09b90119f7e50e8496eaf347c8e4fdfc13c5e306a2

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\hr.pak

MD5 feea1754a955eb61cd41763be4e5ae2e
SHA1 bb6252fec9ada8bf9ed7b81f59843d5abfcac80d
SHA256 787680ecb5d5ece246894481834b30145919c22b04d2dcad2f6ea2b2254abafb
SHA512 3d24c9ccb83f6ecf976df5cf00fdb0b46d53f09c1cb08ab68bb8d9944452785f40a761a152605708d7672f7dcb24e0b7cad1cfc14b267bf5fc1393cfd05ae4d0

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\hi.pak

MD5 34bcb12c154075510d9d3066ad4a8d1f
SHA1 6a3c062221db4f391f8505892f584647b05a410a
SHA256 83c6c411d75ec5c5de6984b21fdecb07c9b926c66b67c5c99380605f6fdd8928
SHA512 aba38e4a8039bbdc46b510a8370c82d3b199b4a02da7751c162c941e6d893a9cdfc0ce92db4144ecc2b2644d58b0bc6cc7cceb0533c62c131cc55be0258c3a7f

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\he.pak

MD5 6010987755f300c7984dd3f72f518ab2
SHA1 eb85f0849a86aa5fb585efaa070d2d7300b197a3
SHA256 1c84a575e28e9a72335ed13409d6861995bd9859fd57a4d9509fe912db4a56a9
SHA512 4b77f74d986c16524a3a6c7f60cdbe53ac5be59418737835a7fa186e4b6ee853cce8317cce352fe4064c75a7d27bf1303d76eabc53993ff1e4b7758a8ccc6228

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\gu.pak

MD5 57cf11b4352e59f11b20b7ab754af031
SHA1 ca1716d419f175a2dd548929fd551dcbd1ef4bd7
SHA256 55588f211c26e1deb47b04d39728ec051b99334c55d30252b94df57d0fba2f52
SHA512 c74360769323b3267aa218e994f49c7e135d4f320365a349a5362c1755c4b660050a070bec6c5446d4620be97a341270b6c01289db20ddf5199ece23117110a4

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\fil.pak

MD5 693abd21a6855aeaa31f6c738c6b6fc9
SHA1 bb1fa375a9f0c682d9913b1c1610535eb2b4028d
SHA256 f0bb231c710c025ad4643e2128867de6e111da867384082e7dc2d0769976b6ce
SHA512 03c68c45e3144a73251d950a8c7695e5b9c2c66711134016543ac07ee6eded723324d5312fad4624d35d0bfe9861ca4b7440d2445e6d3d6cff4a1a3cd5263c98

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\fi.pak

MD5 4f323a2eb73ccd029e742cee4dfa9769
SHA1 b860372d21cc55eb7ddbbf9f5bac61fed39426de
SHA256 e1888472c8e1330e70e514d0a1936749a7e5d39f67e7edc818661c2cbf3e301a
SHA512 d07d0f74736cd32d73b3a33867e65a25b727b5c30cb743162908e23d958fb3ae97285f600a9ef8196e61be9d450da5903d1e468fceb3b05ced93aa600387fddb

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\fa.pak

MD5 e3f56d4b0fa2878ed6847631d3b05dea
SHA1 627f48d5423afcb3cade0789f058d60867419041
SHA256 2ee67a38cce9ffae1a639be17c0ef7ed7c763d9c15c9621f300bf634e1f25a64
SHA512 e29c28717f31dc57c2294857680a439acec25478913ea425b0c7b6e50f3343b21fb7983c15352f9e3c001ffa0c8e500d92a1924acde32a4b5bf3f5b6c60c4142

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\et.pak

MD5 fcdea2954549e5d8f1e7a5de36ae4f74
SHA1 41dcdcefbbab3e0e908d98ec9b6bac7eacecbb99
SHA256 d875bca2e8800657306727902f4f5fceec7415ea530bfa780ece0f016f792569
SHA512 37ea008078083a36b07b1f5d0ca6e16f62b06a19266d8042efc796bf33c53200f37d3a37f5b48d024dbfab9e6689ec9c3f22d6e37e3898fa7deb61ace1fb2df3

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\es.pak

MD5 39288ea031009bb9db582cbd93c7d534
SHA1 467f76d33e39526a4d8cb6068eaf8e2791b3a9ee
SHA256 6cd39669df96b4b5b9047f7689338d3beb9ad7f8be2fddc595ef1ecbc47481c2
SHA512 4a635e969cf2b09aab5f8723a3380c5e226bf0546019506d18de65c1e4a599d268b9ee2e03a65b245075f899a09697b7b535f1055c19344a411100c8f29d93b2

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\es-419.pak

MD5 cadd9ec43e823609c4bbdc418da6009a
SHA1 91bdd44d5972a4763227ee7c127fe122aefe195f
SHA256 6c8d074047d57a79cf5cadf9caa6e9a64bce0895743a3dd89ed1350cc91c1e4c
SHA512 2b9eae4072e46024e33f000b1df1a64246f70498a557f4a03234d3dd47aadb04883b98ebf48eec21f0d6ca4c8a62065f675fdb352be680a56644ea3ae1db93a5

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\en-US.pak

MD5 0dcd84e9e50a3e0819d5875ea889ced4
SHA1 7c47f6e4e0cafec3a13c07d689d1dd6ff6516b1e
SHA256 699b6d7f05a484e76d3e1197a656247863e570f03cc02634c9dc42078a5c5007
SHA512 153fc15f676d78d5d0f3a6862fc7eaa60c2a659c25ce87485f0253c321d9407a9b799b959104c27a8e7b5487f0de926ae8f375e2c3d313329112e48f2d001a17

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\el.pak

MD5 db449f218a705453eb10b5f418e28d7b
SHA1 7bc8fcc59c532bb086a7f081cd8d275a89dac835
SHA256 73da35d01b91707846775bea7dc0331fc1caebd5c63d101aa8bb8bb58ca7f193
SHA512 7dce45bc723d62498b335be0ab72dfc91c44c01f96f25c2314e9245a0eab28a92dcaa730b11f108b604545592445ed1612721416f60ae3bf55b1bd438bd04f78

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\de.pak

MD5 fceb00caf7e76e688007665feae99e83
SHA1 06fece84cf7028b3871f144258b8d084faf8745b
SHA256 80e63ef1950b8438813271365a7b6a3f3aba0bacc179f5675654249f31c06a3c
SHA512 08c14eb299a035949e6b64a069cadee66c420b7d66bb00d65d6a1a08fbee08a57ab08f8e77c44387f0fe02b47aeb0bf2709a1979025613cb51af4ab82fc3b6d5

C:\Users\Admin\AppData\Local\Temp\nsi21E3.tmp\7z-out\locales\da.pak

MD5 22134b12d90fdc00f23a1e0a6fb04eec
SHA1 17c9fc2cacb6e5ccc393d1af9bdf3e8e63ecdaaa
SHA256 62020dd01b47b696e2e11d7f5598628c07782a96ea6bc013dc2ffe8c820b7c94
SHA512 9cce6ffb2d84cedcc5ccf200080d6a2cab691468c042e8e48a5fdd809b5c0d067c322326e49d18f66da8e0b1d28adeda4cd03e12d7aa11350b72776737aa3427

C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad\settings.dat

MD5 b9c43cffbdc9ea7f18e6b1808485e383
SHA1 055d7de4c9d1b630201e9c80de60ffea7b473228
SHA256 62a43bf4523b2792ed5fab7b23d8325faa1154284fd3dd3cabe99b9226d7b264
SHA512 fa2286bcbf070450f522d72164b9b6699ade084196dbc64015b71202ff0f1cc6a23b44aa96cc26ec3f8099a8a13efc526499c537f465ae5b48e60ccf7f6f3a2d

memory/292-896-0x0000000000860000-0x0000000000861000-memory.dmp

\??\pipe\crashpad_2984_YHINPZUHUOBBAXOX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/292-929-0x0000000077710000-0x0000000077711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4730.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar47FD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f372ed4f2ee0d5c32b7401bf601fd1b
SHA1 63d7407880ff75d901884957edb4ff83e3712de2
SHA256 6ff57d75b984f6bcc8ebf890bbbc9476845fa26cbd68df40ce8561c4e442fb45
SHA512 2a917e83a295b443ace477050856d721af2b1ebb3370e63512078f9725357e50b327f0528e8bfd81cc6c0e0d5ba080eab71e98670eb852dba427465c75afa05f

C:\Users\Admin\AppData\Roaming\easymc-launcher\sentry\scope_v2.json

MD5 dbd56933b91a6749d0f0b337fe24bf26
SHA1 ee0e52573c0195deaf6976fc804c01bfb70559fa
SHA256 9082b26081755e5146f75713590856e2161d089efeb9c6bbc35804d54822e01e
SHA512 83fc5b114f4a511a0ca38d7b97ce148d3e3fc45f3ee386df067a7a800b20847f36f1b0b6354ca2f36671ca83fde6f2ce5a314aabe7a9e86ca6bac904d43254be

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:29

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 71.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 3380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 3380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 3380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 3380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240508-en

Max time kernel

89s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zip\win\x64\7za.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zip\win\x64\7za.exe

"C:\Users\Admin\AppData\Local\Temp\7zip\win\x64\7za.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1708 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffcf9ce46f8,0x7ffcf9ce4708,0x7ffcf9ce4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17367774753485460328,1832785413675148308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56067634f68231081c4bd5bdbfcc202f
SHA1 5582776da6ffc75bb0973840fc3d15598bc09eb1
SHA256 8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512 c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

\??\pipe\LOCAL\crashpad_1708_XKMJNWJXLBJXGPXC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 81e892ca5c5683efdf9135fe0f2adb15
SHA1 39159b30226d98a465ece1da28dc87088b20ecad
SHA256 830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512 c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2539608a5c828dab7eaee77aec54c250
SHA1 0da7e0db9679000ce372ab15b9583b1dc0c015c4
SHA256 35431281b3326f1c1e8d5eace1ae5b21d29558887065926af6acd1b8b0ea9195
SHA512 6c9fe0a7f5b3b08be60ec34fd7fd0ac5463b0e31f659e7a00d38c65554ba622246e24ecf46b4ef630fb355c3c11650e777b2629bdbe437aaf001093373d303fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef45fdb9a7204fe101273d626a669e6f
SHA1 4528490458bc86a585ecc6d7abe164a111146a33
SHA256 a4fd757b663f75b38033da127b951eb2437acde8531e4d74a2aba1cae8d0632e
SHA512 ca3a7647953ea38941ea414829295792d381877c03d1022909ceaf7dea8bc061eb71e4882dd22117168e19655fe552850ba022c93310855d82deff6945033505

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3fd74cc2fac82d5c3b553ca6fd3b827b
SHA1 7c3efea6e0c957a3d553ad2be56db0931676ee0f
SHA256 f05e508156a5d082e0e3c60bc49e3e980f695a0c1d5e08393d77056dbb04790f
SHA512 674895f72b5eca1cf349b1f738367d6d58510989f63246868414af6f1f2087a212c13732533dd59a2ef439c038ee72021f525cba025096bf080a91b3b8a52937

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240611-en

Max time kernel

123s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 3148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 3148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 3148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3532,i,18320353784098040629,17273168055569331828,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 71.251.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

ubuntu2404-amd64-20240523-en

Max time network

130s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win7-20240220-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.227:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 227.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:28

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-18 13:15

Reported

2024-06-18 13:29

Platform

win7-20240611-en

Max time kernel

120s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Network

N/A

Files

N/A