Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 03:09

General

  • Target

    intager.exe

  • Size

    3.1MB

  • MD5

    5d0bfe1b693c6fd64a77d4b5fb028ade

  • SHA1

    e080ec222e7e6ef23a1d57493399e9fcc8aff537

  • SHA256

    1b9abaa17e10d390aa0402d09635814641f3194ac18b6d5ddad825c45f7245f4

  • SHA512

    5010ba377b66360cca843b497f0b5b3cdf98b7d72a435d7a4e150c2bec4e02243db3b9ffb6e8b815009f1fc0bad510ef5dc8e302bc28083031adae044c20c51d

  • SSDEEP

    49152:TvtD/2oga6ctePEl3s3jn7HZkgPBgzMgbRwLoGdz7THHB72eh2NT:TvR/2oga6ctePEl3s3L7HZkgPBgzM3

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

minecraft_updater

C2

https://pastebin.com/raw/vxJGbg64:33006

Mutex

4d29c496-7884-4de7-a5a8-82e57928b74a

Attributes
  • encryption_key

    C5904FDD788EA00F921C538B9FE80C0B0A0DE728

  • install_name

    MinecraftUpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    MinecraftUpdater

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\intager.exe
    "C:\Users\Admin\AppData\Local\Temp\intager.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2268
    • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vzZUaJ4WLAM.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4672
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2376
          • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2256
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSPBQhf2ZH0A.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2340
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:952
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2468
                • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2816
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4360
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ciOVCCMrktI.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4564
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:5036
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:3276
                      • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3436
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3360
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pMGijJBryng.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3484
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4124
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4988
                            • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3176
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:3204
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EFzzHvhWBTyK.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4908
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:2036
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:2484
                                  • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4016
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4624
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iXOF5TGCASI2.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:544
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:1184
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3300
                                        • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:412
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:344
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWWwAJXOFnMI.bat" "
                                            15⤵
                                              PID:1928
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:1196
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:4652
                                                • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1052
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3368
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoesSGuOZJGP.bat" "
                                                    17⤵
                                                      PID:4056
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:4644
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:3060
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5088
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1200
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4tcOFFXxu8hg.bat" "
                                                            19⤵
                                                              PID:2228
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:4528
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2600
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1708
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3116
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1KlMGfarHrW7.bat" "
                                                                    21⤵
                                                                      PID:4464
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:2880
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:2736
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4808
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1956
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QRhiswDFLrf.bat" "
                                                                            23⤵
                                                                              PID:3184
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:2324
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3204
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3604
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:5116
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jM5EjJeDi0YT.bat" "
                                                                                    25⤵
                                                                                      PID:1800
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:1396
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:3256
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3092
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4948
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ghSs72NI4bj9.bat" "
                                                                                            27⤵
                                                                                              PID:4900
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:1124
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1248
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4848
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2024
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ug09VeCELg8h.bat" "
                                                                                                    29⤵
                                                                                                      PID:2256
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:5028
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:4792
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2900
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:2756
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vLbgtB1oD6H.bat" "
                                                                                                            31⤵
                                                                                                              PID:3128
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:4600
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:1392

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MinecraftUpdater.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\0ciOVCCMrktI.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    62410e6491203b64973c131a396fb647

                                                    SHA1

                                                    1948692c0caba3452b4db2c6c5fbdfeb58e4474b

                                                    SHA256

                                                    f52e017248a37715a78dbf3d11ce5c8d13da0666eff7167b1d044c60227ebdb1

                                                    SHA512

                                                    b34a3a8000b754f9793bbe3585b9659de109e1c170c11b18a995105ab0cc0d676b3c08777e01f761023f1eb1005de7978a3d3f2e5f85c42fdc2771fe00dee6ed

                                                  • C:\Users\Admin\AppData\Local\Temp\1KlMGfarHrW7.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    9e42a9d9475121cfef38c7e6c04f9099

                                                    SHA1

                                                    e32a0168afd13b78eb1d811e1ef5c60076a15ae2

                                                    SHA256

                                                    c26d05f5522b0dbb8896ccfa5b7d41cee00cea131375f7a8b579b27f81430b7b

                                                    SHA512

                                                    e19d5d9078987b490ef8008321cd00a8b7c850c0d621f9db874973ba70ff02f2da4f74810104dda52fca0a87b4f9325871319d7e237bf77a0dc48f429cde0988

                                                  • C:\Users\Admin\AppData\Local\Temp\4tcOFFXxu8hg.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    fceb16984e5247a707ce231e1fcc2026

                                                    SHA1

                                                    006f23cc571c9af2c532a8f95afc6b4ca41b93e3

                                                    SHA256

                                                    616a43145cc71436ed8ad568acccc69116a9b4ca6bf26b52d2f98fd58f8b9084

                                                    SHA512

                                                    315ad4f14efa9119a98320db77896477b6b737946cf937a57c64085d619b7cb0e65fee2cc1510fad64eea57866e0a1bc58ed650f340bc74b3a83647edf4ee335

                                                  • C:\Users\Admin\AppData\Local\Temp\5QRhiswDFLrf.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    e2ce4a2632eb0411ddb4e3290f35eb61

                                                    SHA1

                                                    fd4610959acf88eeea18f1f6445b08089cc8284e

                                                    SHA256

                                                    e3704d62fb5a5518e703d00131c26f116cac1eb3a1ac3f1b0a3dbd47e1e23725

                                                    SHA512

                                                    5a021ef7685d1efeecef269743b618108d7b6683956b4b2ab658f0ae6b712207b54c996d10364df7ea4572058eda77b2361e594341ed4075571ac2d0843cbde6

                                                  • C:\Users\Admin\AppData\Local\Temp\6vLbgtB1oD6H.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    90322d7f94f32c5ad6ba4b54a6809644

                                                    SHA1

                                                    8712d35c97b7fef2f5d0fe54612ade9dbe0dff6f

                                                    SHA256

                                                    aa14f64926115d5d5b211d415eb40fa265a7f7d222f452823e1b1d049a00af1b

                                                    SHA512

                                                    876a8d131063b9668af9a50fdf7472c1cd9b325663f81e38da366563915a33d21cc0cc88659b5c9294ed0e8da55b0ac8123608c6f456a1bf3bf3fe3d86c0f230

                                                  • C:\Users\Admin\AppData\Local\Temp\6vzZUaJ4WLAM.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    c167b5f6833add4d11d9b8bb2b13d81f

                                                    SHA1

                                                    469a67a314f6bc013bddc76343c906c339ab1eab

                                                    SHA256

                                                    dd172a603326a1cdf1b34895f0c8fee4e781fb8ee70937cdd4c97133fae01d7a

                                                    SHA512

                                                    dfb9a0234501d69f2af0f86f40cfc5121394feae02704e64da98ee12c3833d0e9cec7ce91261074731dddbe83768b4588f6a0ac5fb98d1e65a3eeb35614a01b8

                                                  • C:\Users\Admin\AppData\Local\Temp\8pMGijJBryng.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    643f8256126218abf89bfc386f0e481f

                                                    SHA1

                                                    0125c8e06dd1011e7be699d8d8fd461b72b3579a

                                                    SHA256

                                                    8f28d4c768d7c4c7bbfb955fcf4236711755a6ad3a1d3d1d3ec819bb1ab6a8e4

                                                    SHA512

                                                    60a1df894b65dff2901f2c121daf747c28ad2c5e50dbfa7205c16601eef6383a733c2ed613015e2640b446965b451ad9b6fc6a2c10c0b0697caddc303552005b

                                                  • C:\Users\Admin\AppData\Local\Temp\EFzzHvhWBTyK.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    4b38839a7c883681551b14cf716aee4b

                                                    SHA1

                                                    ebc4505dca42eeecf6b55a4e19316412d4c45c34

                                                    SHA256

                                                    c6f3ca91e9ac3e9b4510a7666a44c1553a34f233489d6dfa4d4424a1d915bbb7

                                                    SHA512

                                                    d142efa7c03eb790572a2ba264309cdc1d9cb9f45ab40a8e67870eca9f8e2318aff349762323498e769f5a9878624ff9e34c7bdc295aa0035b05b6c4610c3688

                                                  • C:\Users\Admin\AppData\Local\Temp\SoesSGuOZJGP.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    e7297381bcca2337f6a07255a5dd9bc1

                                                    SHA1

                                                    1ea839c96596b4fa4db19371749b656d25d6a21e

                                                    SHA256

                                                    22e18463a8728d0ef1d2c1c92dd73612b67456fcec1502b49fa5d838e3b45c0d

                                                    SHA512

                                                    b0fff6bc0ea01c08e8dbede82e6a7542c902676f1aab836066802dd15b62e741e9588cdc71fa1d6710e536b211ad8a0b257365e4989a8f0671998d1345aba469

                                                  • C:\Users\Admin\AppData\Local\Temp\Ug09VeCELg8h.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    4f97e552ae5347604e410ed7b7d75d86

                                                    SHA1

                                                    0229e3074e55103ca034dfe426256bb96a38b4e3

                                                    SHA256

                                                    caba4c63a1a503773bc3ac8d84e4dc2c1af62e5018b1b6e1d929d993cf4e1dcb

                                                    SHA512

                                                    1be4f182e5723174c59b86c4520079f7e722c9fba96a24292359ff7a3c85e19b1f910d7d566f7a81ef6e21fba29ad88b3693424b8e09611e6520ad61cf8342cf

                                                  • C:\Users\Admin\AppData\Local\Temp\XWWwAJXOFnMI.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    3e460e62d63ddd5564ea894e4e0ecdf7

                                                    SHA1

                                                    13630562ca97252788bed3f8ebe80b0d1ca4912f

                                                    SHA256

                                                    e20830652831c7ab95e6e66c500bfc2753ad39d0418cf863bbe3ce957aee1ae2

                                                    SHA512

                                                    64b674204c209231180f8b42e874aa03825305d7ad5c31e0d45840e4a70c94a057120df41dff1137048e34ae07219bc1b4e7f980d525f63b78de9c0af1f2aa66

                                                  • C:\Users\Admin\AppData\Local\Temp\ghSs72NI4bj9.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    bc860ed7faf286dc04112049fcb2266f

                                                    SHA1

                                                    9bafc585c3e683964b5223d3c428fb97506751e8

                                                    SHA256

                                                    852643154240a7fd71e6382d1e9bc516b312c7a9c136344837ba9816796eeefa

                                                    SHA512

                                                    8a892115cc6dad1b131c8c833cd6a109dbf200243596f08ad5f8446a87c4818c2e070723a0cdb71291e940d8d0963e4743bac748adcb98da0d4884b757c69b29

                                                  • C:\Users\Admin\AppData\Local\Temp\iXOF5TGCASI2.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    1028293e90b203542991d5135c9aa535

                                                    SHA1

                                                    388c4fbc0f60a5406a296befb416c372ea7f67af

                                                    SHA256

                                                    28c437a20b27f8d002f9e21c4074d9369e98a7456f590f385b40af6ea3f5f5aa

                                                    SHA512

                                                    a1ff40704c79f35f097aedd56aa63e9ffe6ff87c63081a8bca90f97eedb302edca1fc6d3adc5aa621d73a46b6a704bf362f40d7963df23dc020baac08da2c27d

                                                  • C:\Users\Admin\AppData\Local\Temp\jM5EjJeDi0YT.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    c670e5f4d6f78973523d6701a5cc59eb

                                                    SHA1

                                                    fd83b581379e32b5313b4a54f6f4579ca3213acc

                                                    SHA256

                                                    805f90ffcfef1bbcfb2f2447d308717034650b44df57ffacb1aa34004f2e7bd4

                                                    SHA512

                                                    49a82c01c09942e4d02d43c63bf460bb9c336b4f968ccf7180e3f50699de9ab136f4b62c7ce7eb8f8afd57cae4b9383bda472b402dd31ac8354276973809b561

                                                  • C:\Users\Admin\AppData\Local\Temp\oSPBQhf2ZH0A.bat

                                                    Filesize

                                                    217B

                                                    MD5

                                                    33c13b15e5d294983530294abe5f373d

                                                    SHA1

                                                    847e4badb37773cb53562aecd03783ff7feea1a5

                                                    SHA256

                                                    e704f8c1f6ffcfda4400d625e654c0c8eef9679b8c209fd7083db03ed17ccd8b

                                                    SHA512

                                                    df6e4c5422badf30f8cea10638a05b7dc28f9e62c15f6d72d705e52a9cfde75e444d9395e39461346e1a31871f6f86a4b8bcc34cd110b19750625a674f0990f6

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    5d0bfe1b693c6fd64a77d4b5fb028ade

                                                    SHA1

                                                    e080ec222e7e6ef23a1d57493399e9fcc8aff537

                                                    SHA256

                                                    1b9abaa17e10d390aa0402d09635814641f3194ac18b6d5ddad825c45f7245f4

                                                    SHA512

                                                    5010ba377b66360cca843b497f0b5b3cdf98b7d72a435d7a4e150c2bec4e02243db3b9ffb6e8b815009f1fc0bad510ef5dc8e302bc28083031adae044c20c51d

                                                  • memory/1060-18-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1060-13-0x000000001C520000-0x000000001C5D2000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/1060-12-0x000000001C410000-0x000000001C460000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/1060-11-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1060-10-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4216-0-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4216-9-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4216-2-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4216-1-0x0000000000460000-0x0000000000784000-memory.dmp

                                                    Filesize

                                                    3.1MB