59256f6a1f02f8dada5833017bf8f152c8a63c007a620073177c789966958e32

Analysis

max time kernel
132s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EasyMC Launcher.exe
Size

117.7MB
MD5

6632ce0aea5e1f13b6d0e7c65d29b8d2
SHA1

c461a6494612a66b0022818fe1d8eb2ab82075b9
SHA256

0eae69689ccee6f5993d136ac00b8d8b2561460f654e6b67128477d6c3a984ac
SHA512

ce686b5e951c6ee18e721c9916ced74a4b34370899558eebdff761776a25bb4e51089ac6d590e9c114c8e49ab4721700f587822cf2757a927674fd58d438e34d
SSDEEP

1572864:/up+Hn+3L5V0d4Z0MiqgOOWvqAx0F0XiiuoY/xGtspV8c5XJmv61/Qmm48LaLQed:SXjE5VhLyXgJ34ajsMzTP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EasyMC Launcher.exeEasyMC Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	EasyMC Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	EasyMC Launcher.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EasyMC Launcher.exeEasyMC Launcher.exeEasyMC Launcher.exeEasyMC Launcher.execmd.exeEasyMC Launcher.exeEasyMC Launcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyMC Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyMC Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyMC Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyMC Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyMC Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyMC Launcher.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

EasyMC Launcher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	EasyMC Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	EasyMC Launcher.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

EasyMC Launcher.exeEasyMC Launcher.exeEasyMC Launcher.exeEasyMC Launcher.exe

pid	process
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1960	EasyMC Launcher.exe
1972	EasyMC Launcher.exe
1972	EasyMC Launcher.exe
4144	EasyMC Launcher.exe
4144	EasyMC Launcher.exe
636	EasyMC Launcher.exe
636	EasyMC Launcher.exe
636	EasyMC Launcher.exe
636	EasyMC Launcher.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

EasyMC Launcher.execmd.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 1792	1960	EasyMC Launcher.exe	cmd.exe
PID 1960 wrote to memory of 1792	1960	EasyMC Launcher.exe	cmd.exe
PID 1960 wrote to memory of 1792	1960	EasyMC Launcher.exe	cmd.exe
PID 1792 wrote to memory of 2512	1792	cmd.exe	cmd.exe
PID 1792 wrote to memory of 2512	1792	cmd.exe	cmd.exe
PID 2512 wrote to memory of 3192	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 3192	2512	cmd.exe	reg.exe
PID 1960 wrote to memory of 4592	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 4592	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 4592	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 392	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 1972	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 1972	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 1972	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 4144	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 4144	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 4144	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 636	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 636	1960	EasyMC Launcher.exe	EasyMC Launcher.exe
PID 1960 wrote to memory of 636	1960	EasyMC Launcher.exe	EasyMC Launcher.exe

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
4⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\easymc-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=easymc-launcher --annotation=_version=1.6.14 --annotation=prod=Electron --annotation=ver=16.2.8 --initial-client-data=0x50c,0x4f4,0x518,0x514,0x54c,0x7cba970,0x7cba980,0x7cba98c
2⤵
- System Location Discovery: System Language Discovery
PID:4592

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1776,1571014269099955310,3299933007972628657,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
PID:392

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,1571014269099955310,3299933007972628657,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1776,1571014269099955310,3299933007972628657,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2464 /prefetch:1
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\EasyMC Launcher.exe" --type=gpu-process --field-trial-handle=1776,1571014269099955310,3299933007972628657,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\easymc-launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Crashpad\settings.dat

Filesize
40B

MD5
710d50cd69e4a634f5bc23ac73cb0288

SHA1
a33494eb4d4e51689a5d68e15dbec3708011b5df

SHA256
7bda073f779feb5190da1454dde5fc47e9176a7db91a490b7647c38cce29fc8b

SHA512
53c081358feb465d03c05992fb37c01642c072857f5efa248e8330fabeed3878dfee845ab6be20edfa9c898bf2969b4608b33913b9ddbfae119c2adbb552cf4b

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State

Filesize
997B

MD5
1467e8b18dcbbc36cae0ad7d83b636eb

SHA1
ed7e8f5de257aa3c6a1d48ac063f1e566500a083

SHA256
2be35d65e34d6365e41572ae6dfaa16040890a9d7f7698821157e7c867d9ac6b

SHA512
48dde3f657982d7b4f63041a0baebbdb0f5fff92dbaebdd3f470945c15f648b526aedae4a2dcf14bdcf206891144b86344196c57dc02388359a8aef21fbbfb17

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State

Filesize
875B

MD5
9de519e052acccd982a2747234afee62

SHA1
0400a40a4c1284a2dccd0dbf346fe86f07b46cfe

SHA256
c684d6b6eb497700f1ef6a7184b57dd0103a7b6eea52466198679e9f45058ca8

SHA512
f477ce242dcf4c0aa8013daa14675ebd2c6f20b9bb86ea7aab88e780392baf2028919bb5009e201052a39d7b1f631bf3580749f352cef3f0a62d1fd1a9860177

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\Network Persistent State~RFe58af56.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\TransportSecurity

Filesize
371B

MD5
d5f5735960e3f130b5879ff30cb53c5a

SHA1
2ddc696aa12f7b977cd5860c6e33c45e3d777883

SHA256
6b5f9eee776e45e5c0ac9c33b91a3c77a6ec0d89703947e202c4706b0833291a

SHA512
35dba92626dde5f4248202b808ea81287a55e2f12a33aa4e488b2de9b5620c52a8c01776446b12fc03e5649ad00b456a63c30e4272d9346a108d778d60ca3650

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\TransportSecurity~RFe58af46.TMP

Filesize
371B

MD5
ea6ef633d4e9779d5e594853ef93da4a

SHA1
64fb9ad6203899b04287e02e121d08cb01cbc542

SHA256
fce5b985a5ce3405571fcb688febba2b482d44b45f7c2ffda3451fbac5eb9988

SHA512
d833e238ad29ca8eff7765f0c75f550672959d3db92d81caf3902540db2a0b2c8e2eb3dcb559e14762df382d508f7ad6658e445a7abcce76412cded392be3102

Download Submit
C:\Users\Admin\AppData\Roaming\easymc-launcher\sentry\scope_v2.json

Filesize
671KB

MD5
b4f81c38eef5b2090a92076fd1b80345

SHA1
6497feae818d0f93cccabe62479adbcc30d6334f

SHA256
1679e21db8725a7a3cbce2c6449a5ec8f3ec38916163f42ea97d933a5404b1fc

SHA512
4e4221f200ecd7e78e667707dd9c3674c4963591417efaedfed25cc1820dfa218ec815f7cd9b00d95a3f97e83c2d1ba87d1441cc0fa805b6ea7c30ce411b9b52

Download Submit
\??\pipe\crashpad_1960_ASCYZEXZUZOLIZSB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/636-124-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-126-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-130-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-131-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-136-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-135-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-134-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-133-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-132-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download
memory/636-125-0x000000000DAF0000-0x000000000DAF1000-memory.dmp

Filesize
4KB

Download