phorphiex | 10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b

Analysis

max time kernel
118s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Size

2.8MB
MD5

ee045243600f4dddb16e9c9f0330d884
SHA1

57ed1b903e92b27bfe6ce6b13747450ea62c051d
SHA256

10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b
SHA512

f25590f07cfc2517837a3d3e7fa80c03afff9b8a4a4ae71d6f525c89b221dddd2f9a49e7b5de584870c5b527ba8533c05a3a72c26a44ee95169149b947e259df
SSDEEP

49152:0ljHdG8GcuzCO4XKaYRwXUtyqcM8pdIcA69j7GUsRTd8sxjOPJnUl68QFy13Tgbw:UjxDuzCOQg+9j7YdOPJ8xQxw

Score

10^/10

phorphiex xmrig discovery execution loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

http://185.215.113.66

http://185.215.113.84

Attributes

mutex
Klipux

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023bd2-36.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4992 created 3360	4992	2801310509.exe	56
PID 4992 created 3360	4992	2801310509.exe	56
PID 2036 created 3360	2036	winupsecvmgr.exe	56
PID 2036 created 3360	2036	winupsecvmgr.exe	56
PID 2036 created 3360	2036	winupsecvmgr.exe	56

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/2036-492-0x00007FF6EDD30000-0x00007FF6EE2C7000-memory.dmp	xmrig
behavioral2/memory/4320-495-0x00007FF770240000-0x00007FF770A2F000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	1860711583.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe

Deletes itself 1 IoCs

pid	Process
4688	NativeUpdater.exe

Executes dropped EXE 15 IoCs

pid	Process
2200	9635.exe
4688	NativeUpdater.exe
3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
2512	569332624.exe
4672	sysnldcvmr.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4452	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
5076	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4488	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4676	1860711583.exe
1968	3278832195.exe
2500	2239920500.exe
764	145608347.exe
4992	2801310509.exe
2036	winupsecvmgr.exe

Loads dropped DLL 17 IoCs

pid	Process
3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4452	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4452	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4452	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4488	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4488	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4488	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
5076	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
5076	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
5076	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	569332624.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
736	powershell.exe
4100	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 4384	2036	winupsecvmgr.exe	125
PID 2036 set thread context of 4320	2036	winupsecvmgr.exe	126

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	569332624.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	569332624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	569332624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3278832195.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2239920500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	145608347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NativeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{EB81D010-0A87-4E77-B686-29FD891FD89D}	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4892	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4452	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4452	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4488	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4488	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
5076	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
5076	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
4676	1860711583.exe
4676	1860711583.exe
4992	2801310509.exe
4992	2801310509.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
4992	2801310509.exe
4992	2801310509.exe
2036	winupsecvmgr.exe
2036	winupsecvmgr.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
2036	winupsecvmgr.exe
2036	winupsecvmgr.exe
2036	winupsecvmgr.exe
2036	winupsecvmgr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4688	NativeUpdater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	1860711583.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeIncreaseQuotaPrivilege	736	powershell.exe
Token: SeSecurityPrivilege	736	powershell.exe
Token: SeTakeOwnershipPrivilege	736	powershell.exe
Token: SeLoadDriverPrivilege	736	powershell.exe
Token: SeSystemProfilePrivilege	736	powershell.exe
Token: SeSystemtimePrivilege	736	powershell.exe
Token: SeProfSingleProcessPrivilege	736	powershell.exe
Token: SeIncBasePriorityPrivilege	736	powershell.exe
Token: SeCreatePagefilePrivilege	736	powershell.exe
Token: SeBackupPrivilege	736	powershell.exe
Token: SeRestorePrivilege	736	powershell.exe
Token: SeShutdownPrivilege	736	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeSystemEnvironmentPrivilege	736	powershell.exe
Token: SeRemoteShutdownPrivilege	736	powershell.exe
Token: SeUndockPrivilege	736	powershell.exe
Token: SeManageVolumePrivilege	736	powershell.exe
Token: 33	736	powershell.exe
Token: 34	736	powershell.exe
Token: 35	736	powershell.exe
Token: 36	736	powershell.exe
Token: SeIncreaseQuotaPrivilege	736	powershell.exe
Token: SeSecurityPrivilege	736	powershell.exe
Token: SeTakeOwnershipPrivilege	736	powershell.exe
Token: SeLoadDriverPrivilege	736	powershell.exe
Token: SeSystemProfilePrivilege	736	powershell.exe
Token: SeSystemtimePrivilege	736	powershell.exe
Token: SeProfSingleProcessPrivilege	736	powershell.exe
Token: SeIncBasePriorityPrivilege	736	powershell.exe
Token: SeCreatePagefilePrivilege	736	powershell.exe
Token: SeBackupPrivilege	736	powershell.exe
Token: SeRestorePrivilege	736	powershell.exe
Token: SeShutdownPrivilege	736	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeSystemEnvironmentPrivilege	736	powershell.exe
Token: SeRemoteShutdownPrivilege	736	powershell.exe
Token: SeUndockPrivilege	736	powershell.exe
Token: SeManageVolumePrivilege	736	powershell.exe
Token: 33	736	powershell.exe
Token: 34	736	powershell.exe
Token: 35	736	powershell.exe
Token: 36	736	powershell.exe
Token: SeIncreaseQuotaPrivilege	736	powershell.exe
Token: SeSecurityPrivilege	736	powershell.exe
Token: SeTakeOwnershipPrivilege	736	powershell.exe
Token: SeLoadDriverPrivilege	736	powershell.exe
Token: SeSystemProfilePrivilege	736	powershell.exe
Token: SeSystemtimePrivilege	736	powershell.exe
Token: SeProfSingleProcessPrivilege	736	powershell.exe
Token: SeIncBasePriorityPrivilege	736	powershell.exe
Token: SeCreatePagefilePrivilege	736	powershell.exe
Token: SeBackupPrivilege	736	powershell.exe
Token: SeRestorePrivilege	736	powershell.exe
Token: SeShutdownPrivilege	736	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeSystemEnvironmentPrivilege	736	powershell.exe
Token: SeRemoteShutdownPrivilege	736	powershell.exe
Token: SeUndockPrivilege	736	powershell.exe
Token: SeManageVolumePrivilege	736	powershell.exe
Token: 33	736	powershell.exe
Token: 34	736	powershell.exe
Token: 35	736	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2200	2388	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	83
PID 2388 wrote to memory of 2200	2388	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	83
PID 2388 wrote to memory of 2200	2388	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	83
PID 2388 wrote to memory of 4688	2388	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	87
PID 2388 wrote to memory of 4688	2388	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	87
PID 2388 wrote to memory of 4688	2388	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	87
PID 4688 wrote to memory of 3640	4688	NativeUpdater.exe	90
PID 4688 wrote to memory of 3640	4688	NativeUpdater.exe	90
PID 4688 wrote to memory of 3640	4688	NativeUpdater.exe	90
PID 2200 wrote to memory of 2512	2200	9635.exe	95
PID 2200 wrote to memory of 2512	2200	9635.exe	95
PID 2200 wrote to memory of 2512	2200	9635.exe	95
PID 2512 wrote to memory of 4672	2512	569332624.exe	97
PID 2512 wrote to memory of 4672	2512	569332624.exe	97
PID 2512 wrote to memory of 4672	2512	569332624.exe	97
PID 3640 wrote to memory of 4892	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	100
PID 3640 wrote to memory of 4892	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	100
PID 3640 wrote to memory of 4892	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	100
PID 3640 wrote to memory of 4452	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	102
PID 3640 wrote to memory of 4452	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	102
PID 3640 wrote to memory of 4452	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	102
PID 3640 wrote to memory of 4488	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	103
PID 3640 wrote to memory of 4488	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	103
PID 3640 wrote to memory of 4488	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	103
PID 3640 wrote to memory of 5076	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	104
PID 3640 wrote to memory of 5076	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	104
PID 3640 wrote to memory of 5076	3640	10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe	104
PID 4672 wrote to memory of 4676	4672	sysnldcvmr.exe	107
PID 4672 wrote to memory of 4676	4672	sysnldcvmr.exe	107
PID 4676 wrote to memory of 3428	4676	1860711583.exe	108
PID 4676 wrote to memory of 3428	4676	1860711583.exe	108
PID 4676 wrote to memory of 4092	4676	1860711583.exe	110
PID 4676 wrote to memory of 4092	4676	1860711583.exe	110
PID 3428 wrote to memory of 4560	3428	cmd.exe	112
PID 3428 wrote to memory of 4560	3428	cmd.exe	112
PID 4092 wrote to memory of 5072	4092	cmd.exe	113
PID 4092 wrote to memory of 5072	4092	cmd.exe	113
PID 4672 wrote to memory of 1968	4672	sysnldcvmr.exe	114
PID 4672 wrote to memory of 1968	4672	sysnldcvmr.exe	114
PID 4672 wrote to memory of 1968	4672	sysnldcvmr.exe	114
PID 4672 wrote to memory of 2500	4672	sysnldcvmr.exe	115
PID 4672 wrote to memory of 2500	4672	sysnldcvmr.exe	115
PID 4672 wrote to memory of 2500	4672	sysnldcvmr.exe	115
PID 4672 wrote to memory of 764	4672	sysnldcvmr.exe	116
PID 4672 wrote to memory of 764	4672	sysnldcvmr.exe	116
PID 4672 wrote to memory of 764	4672	sysnldcvmr.exe	116
PID 2500 wrote to memory of 4992	2500	2239920500.exe	117
PID 2500 wrote to memory of 4992	2500	2239920500.exe	117
PID 2036 wrote to memory of 4384	2036	winupsecvmgr.exe	125
PID 2036 wrote to memory of 4320	2036	winupsecvmgr.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
  "C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\9635.exe
    "C:\Users\Admin\AppData\Local\Temp\9635.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\569332624.exe
      C:\Users\Admin\AppData\Local\Temp\569332624.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\1860711583.exe
        
        C:\Users\Admin\AppData\Local\Temp\1860711583.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\3278832195.exe
        
        C:\Users\Admin\AppData\Local\Temp\3278832195.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\2239920500.exe
        
        C:\Users\Admin\AppData\Local\Temp\2239920500.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2801310509.exe
        
        C:\Users\Admin\AppData\Local\Temp\2801310509.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\145608347.exe
        
        C:\Users\Admin\AppData\Local\Temp\145608347.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
- - C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
    tools\NativeUpdater.exe 10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe 10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe.tmp --nativeLauncherVersion 788 --nativeLauncherVersion 788
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
      10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe --nativeLauncherVersion 788 --nativeLauncherVersion 788
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=gpu-process --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2116 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2576 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4384
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:4320

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
1⤵
- System Location Discovery: System Language Discovery
PID:4832

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc35bf2367ee5c6feb084ab39f5c26eb

SHA1
cd9742c05391a92780a81fe836797a5909c7f9c1

SHA256
7ad08f1c2e7df4102eb3a6d213f4a0c245300c275fd53e463655a8ab9fa3ec64

SHA512
0b6662ea93907902c9f5db98bed4e9d322a69e7b8df921f6b8bd8026fdbfa556b0afe29013e3ecc8982a6339c48b4fe371ba587f02c39de72cb3840ed0e6747b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe.tmp

Filesize
3.2MB

MD5
e8c86a94df2f0a4c5edfa59cfc420329

SHA1
4212cb446a2dce87225ca20ba45e10befb084062

SHA256
60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1

SHA512
273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\145608347.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1860711583.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2239920500.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2801310509.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\3278832195.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\569332624.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1iih4tl.zc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef.pak

Filesize
1.9MB

MD5
fa6c54291dcc13acc9dbec30923fe503

SHA1
8f157cc1ab1c18bf47305543b149604797cd6587

SHA256
455dd904ba68305f45682ae9c776a87cb2cb67bbe2d20e13cf97a812b68cf5f4

SHA512
135773297e6481f66d53a6a6bb887e0e0ba17ded9f76e2cef2db48a095a4c301eda84feb46f2a44425f4d34accd72765ee324d30a0692aa0c6d2c513166d51de

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_100_percent.pak

Filesize
261KB

MD5
4cec40309dc9e4bf0f0cc915aeb6c9ac

SHA1
2da1b18943265f473f6b87b63132dbb2398ff487

SHA256
6267cb52b0ca5593cf402139e736eb4f1d6bc3f2eab4c6deb99934711050ef4f

SHA512
e684d4d735762e87c8556c164379f97f59b8b4077e2f4c49ae43610ca2a3994ad45839cf6edef4e741a4f1fb345413e4246fb5901dd52bd98c9a2f60866817c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_200_percent.pak

Filesize
412KB

MD5
50a6d9ab74ebfaeda5baa28997149977

SHA1
1ad557cecf3d54a5fbe471ceab189d344fef347c

SHA256
c8f7697bdb4aa19722b975dd2126baf8c2edb5c0a58e2d64a6fefa4cbb8335ec

SHA512
31647191b432f82ff24a41a16abb77512bed2f3105791079d795304452e2bff89f618202023fd133cdc79f80d02647093edebca9e43c19cbd4d2bed4c8d35180

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\cef_extensions.pak

Filesize
1.2MB

MD5
c294094045246da46492204f2920d74f

SHA1
229367ac0be0a2da9d6338cba6f45c07f790140c

SHA256
8e8882c3d420231e1ddd1329e259cd8dc38fe392727aa74cfa4df57125d4cfb3

SHA512
03543e3c436a8b42b3f5bb942de468b4898172720ddef5597535b81347581ae0c89bf91e6bef3b91c796ca5bd393a865b2fa53ba70b2fda6578c640b14ab92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\chrome_elf.dll

Filesize
810KB

MD5
4c8f4689e087a9843a79d6ec923f00df

SHA1
e6e37e19a04a55944bdfba6f9359bbe0ea8402fc

SHA256
8753acc450280e1c5ef5a09dac46d1fd873f1e66d771affc4b4afbfa3d59e3c4

SHA512
30b205bb4b391b23a7bb15248daa42af3ec34225d169a0d70325ea7e1422d298ea3376962e689311074346dd7aec3579789748e3aaa17b04ab72de6c0a0fc5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\icudtl.dat

Filesize
10.0MB

MD5
9732e28c054db1e042cd306a7bc9227a

SHA1
6bab2e77925515888808c1ef729c5bb1323100dd

SHA256
27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e

SHA512
3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\libEGL.dll

Filesize
315KB

MD5
e646266652e470489b912c39d4bbfacf

SHA1
fb5af43ba527f0b03f6e5db0dba870df7acecf77

SHA256
e2b31cbbbd97c2d098a44acd5e1c84e092f4bf4c535fe6ebc3703a78387c03a9

SHA512
fe5ca9d6dc63ca6982702072aa34ada2d43c3c781e1fac09e324b17b3ed05bb8d203c3c08c0fe4aaf8985781933a8a3f2cd8e4928b0fe567c46a8da46f481b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\libGLESv2.dll

Filesize
6.6MB

MD5
79d62a3663c1963c90ed84045e0450ac

SHA1
cd3b444ec31e78c7bef960f91548de1e1f2ae487

SHA256
896cd68e51fb5c4937717e350b911d5dd18dc285f466fb712ccb0578fff1365e

SHA512
2da35a7db00ad3c22de448abfe3eb4425088b51db0f093dcfb0e934edee40567ebc8cd1bf0768bb1a43a397a49ce5d388edf2427fcc09eb48033b8baea918520

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\locales\en-US.pak

Filesize
225KB

MD5
16a6914c9637812257e28b2cc4e6d809

SHA1
82212a642c90b51b8f67e517ee8782da841b658f

SHA256
8fe734f556d97e7c07d02e839a16565f7db88ca7091ca3903a9b153a68aaaf72

SHA512
6efbab68c8b036fd73951295a5f65718003deea46db838f6f263133452e09be45ce006246850facbb1922766f42c2ce1796722cecfcc8495921a7bcd9402a446

Download Submit
C:\Users\Admin\AppData\Local\Temp\game\v8_context_snapshot.bin

Filesize
167KB

MD5
cdeec3342ce88d4de5426032a6bf6a53

SHA1
b36ec3c3b20a7a06ff282d696f12b51904b073a4

SHA256
ca88a3c7034da1de52d35823fba0fe80ba5376ab70cdc1841e6aaf25c1f5dd6e

SHA512
54874cd76589124b750fdae90be75e1acf374566d56352c15dbbee98c095aad0e56db142952a808b08e4817bf5f8e176ffdc4ff79110d8661ee4f7ede16b2ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe

Filesize
959KB

MD5
69f6d2214bfcafa9236c1747b398a1af

SHA1
c3bbb7986ab728493a05c57dcb7f1a383258f3c9

SHA256
f13212b3462edbd5cd14d81b5397bf2f0281cc221c5464f4875c0ab0b84fe884

SHA512
59d55fa5a8d0518bf645001742e5ec0bbb0af6ca9203ed46ca9cc453e5be883de11e978bdfd68677a5f3653ee7a97cc1eeb8633fd4c5ece95790d166d1b22cd8

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt

Filesize
173B

MD5
45d8315aef0ae69006d5ef873d0c0b31

SHA1
021a2cda7e2315289206e3a49802278700376680

SHA256
936ee78a7972a02276c7a977046114f4307673a26e80aba7a7fc9d4d7f9a1d76

SHA512
f3937916bd6762833260d305882ca528adb3f0b96874bd721cd3902fb82a39a22ca859bb8fa4de3ee78c9a0c9d661d4254243dc7515232f9d80526f903721f79

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt

Filesize
415B

MD5
fd255b681713d0bc128c80536f1fa4db

SHA1
2572bb562e961ae23895387acc52af018921f6a9

SHA256
8ec7b241961d398f2166e02e484a0b8e70212b9fe82a320f94ed5b6922e2a4bb

SHA512
32af6159e4b0203f65d558f8022fc436814ec48828734401812fb8665fe5f44b1711b59bdc1df3417e7954b240d536fa4733548a1f017eeaf5166e3d5323963a

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json

Filesize
128B

MD5
270ade77b4358d215f30e625a2b172f6

SHA1
c407dcca0525ba0bb9d9c5d63ac78f7aa03ae03a

SHA256
7afa6b9dacfb8d546c8f9c386601999232fa9aa6bcc9879503ab2433e053c3c5

SHA512
af56d5ec7d603284db4fe340f5f5fc00c48b0e3d065660cb3d40088e6c4c35675cb7eaa6504803a11120d49e40d7aeb0f5321aacef79e5b074369722056bcd62

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network Persistent State

Filesize
194B

MD5
b38b8a330156eb7677945e77c8cf77dc

SHA1
da8a3a817aac14fdacf1fad98ae5f3f6016f456c

SHA256
3ee58c6cbcd92c049736f417a284876fb56a969870358cd3718a3e8ec7f9b184

SHA512
7e49e5c8fc2f37eb28ac8764084c5fedf1c784e6cfeb9a3ded1c01ba43951dab786ffec7d944d784adaf14c40c59906d78bcd81e0aa7622acb9424d295a4ed06

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network Persistent State~RFe591b00.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
memory/736-460-0x000001DFF5650000-0x000001DFF5672000-memory.dmp

Filesize
136KB

Download
memory/2036-492-0x00007FF6EDD30000-0x00007FF6EE2C7000-memory.dmp

Filesize
5.6MB

Download
memory/2388-14-0x0000000000400000-0x00000000006D7DB0-memory.dmp

Filesize
2.8MB

Download
memory/4320-493-0x0000019E54200000-0x0000019E54220000-memory.dmp

Filesize
128KB

Download
memory/4320-495-0x00007FF770240000-0x00007FF770A2F000-memory.dmp

Filesize
7.9MB

Download
memory/4384-494-0x00007FF6A1970000-0x00007FF6A1999000-memory.dmp

Filesize
164KB

Download
memory/4676-424-0x0000000000A60000-0x0000000000A66000-memory.dmp

Filesize
24KB

Download
memory/4992-465-0x00007FF633020000-0x00007FF6335B7000-memory.dmp

Filesize
5.6MB

Download