Malware analysis https://mcpedl.org/minecraft-pe-26-30-21-apk/ Malicious activity

Add for printing

URL:	https://mcpedl.org/minecraft-pe-26-30-21-apk/
Full analysis:	https://app.any.run/tasks/bc60c215-a74a-4bb5-b64d-b8c48976c329
Verdict:	Malicious activity
Analysis date:	April 29, 2026, 23:04:52
OS:	Android 14
Indicators:
MD5:	3F566C37BAC537748329B3B1885C0753
SHA1:	4FE06BB2FE4EE079A870C062F22592E39507F0A6
SHA256:	01FFBD4FED440B7F00A96B46A8064CFAF4DC5D39021DBCBC208465E4ED4AA16A
SSDEEP:	3:N8TADDPhg8iDn:2MXPhgz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Executes system commands or scripts
  - app_process64 (PID: 4920)
SUSPICIOUS
- Cpu information query suggesting anti-analysis behavior
  - app_process64 (PID: 4920)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 4920)
- Accesses memory information
  - app_process64 (PID: 4920)
- Accesses external device storage files
  - app_process64 (PID: 4920)
- Accesses system-level resources
  - app_process64 (PID: 4920)
- Establishing a connection
  - app_process64 (PID: 4920)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 4920)
- Checks Bluetooth audio routing status
  - app_process64 (PID: 4920)
- Uses encryption API functions
  - app_process64 (PID: 4920)
- Returns the name of the current network operator
  - app_process64 (PID: 4920)
INFO
- Loads a native library into the application
  - app_process64 (PID: 4920)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 4920)
- Retrieves CPU core information
  - app_process64 (PID: 4920)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 4920)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 4920)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 4920)
- Detects device power status
  - app_process64 (PID: 4920)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 4920)
- Returns elapsed time since boot
  - app_process64 (PID: 4920)
- Dynamically loads a class in Java
  - app_process64 (PID: 4920)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 4920)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

169

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3970	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4025	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4036	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4049	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a54 Integrity Level: UNKNOWN Exit code: 512
4068	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4091	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4151	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4173	com.android.providers.partnerbookmarks	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4242	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4262	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

307

Text files

377

Unknown types

Dropped files

PID	Process	Filename		Type
4242	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.WlCxIk/list.pb		binary
		MD5:—	SHA256:—
4242	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.WlCxIk/manifest.json		text
		MD5:—	SHA256:—
4242	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.WlCxIk/LICENSE		text
		MD5:—	SHA256:—
4242	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.WlCxIk/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
4242	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/cab4d1f0a6a2a1afecae808a520f6690dd2b9d58bf54762877f2dc9715d55461		binary
		MD5:—	SHA256:—
4262	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Lq5DiE/privacy-sandbox-attestations.dat		binary
		MD5:—	SHA256:—
4262	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Lq5DiE/manifest.json		text
		MD5:—	SHA256:—
4262	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Lq5DiE/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
4262	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/38c89b12bb20a8f2751c9c7cd2e31c173a47af08c115e1ecccc2f5151a2cf2c6		binary
		MD5:—	SHA256:—
4281	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Qii2hL/decoded_xz		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

120

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1921	app_process64	GET	204	142.251.153.119:443	https://www.google.com/generate_204	US	—	—	whitelisted
3970	app_process64	GET	200	142.250.154.138:80	http://clients2.google.com/time/1/current?cup2key=9:cFoDjcD1RD8lUXQxD2fTLG81C7WZ_0jD_Dgf4a-llvw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	105 b	whitelisted
2931	app_process64	POST	200	142.251.127.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	US	binary	778 b	whitelisted
2931	app_process64	POST	200	142.251.127.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABndt9OIQBILStY9XdjVB0DkMVl7CrxAe9TLI=&request_id=482a5192-f70f-4086-8c84-9651ade7c880	US	binary	11.8 Kb	whitelisted
3970	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acmmwq7dser4xm5sepzjv74g65vq_2023.7.28.10/cffplpkejcbdpfnfabnjikeicbedmifn_2023.07.28.10_all_acgbwixmcanakp2bkoppyszsbkrq.crx3	US	compressed	6.04 Kb	whitelisted
3970	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acpeapixpwuzscfa5h5j5m7c4xaa_2025.6.16.0/niikhdgajlphfehepabhhblakbdgeefj_2025.06.16.00_all_acgsomx5qtwgffxcrxwhoksfom7q.crx3	US	compressed	6.41 Kb	whitelisted
3970	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/gcmjkmgdlgnkkcocmoeiminaijmmjnii/b809333d493ae614f8a7c0f09385e344aad6c0188126095c0c61362c478435eb	US	binary	56.1 Kb	whitelisted
3970	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/obedbbhbpmojnkanicioggnmelmoomoc/e40bb820d29fb9a9bf8935fa5fbe77b363cf9c553cd0c1993bf0a9bec48686e4	US	binary	4.41 Mb	whitelisted
3970	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pg4njza7nbdid7jkzqa63dqjqy_662/lmelglejhemejginpboagddgdfbepgmp_662_all_ZZ_ac6u6ze7sm7u2dv6kzbnczrhotmq.crx3	US	compressed	390 Kb	whitelisted
3970	app_process64	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/lkptbildbpqiy52krytlomh6za_2026.3.23.1/kiabhabjdbkjdpjbpigfodbdjmbglcoo_2026.03.23.01_all_lij76gb6h65kut3ntuqwmflaom.crx3	US	compressed	8.98 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	142.251.150.119:80	www.google.com	GOOGLE	US	whitelisted
—	—	192.178.183.94:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.251.154.119:443	www.google.com	GOOGLE	US	whitelisted
452	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
3970	app_process64	142.250.154.138:80	google.com	GOOGLE	US	whitelisted
3970	app_process64	104.21.19.193:443	mcpedl.org	CLOUDFLARENET	US	whitelisted
3970	app_process64	142.251.155.119:443	www.google.com	GOOGLE	US	whitelisted
3970	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
3970	app_process64	88.212.202.52:443	counter.yadro.ru	UNITEDNET	RU	whitelisted
3970	app_process64	142.251.20.95:443	content-autofill.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
www.google.com	142.251.150.119 142.251.151.119 142.251.152.119 142.251.157.119 142.251.156.119 142.251.154.119 142.251.153.119 142.251.155.119	whitelisted
google.com	142.250.154.102 142.250.154.113 142.250.154.101 142.250.154.100 142.250.154.139 142.250.154.138	whitelisted
clients2.google.com	142.250.154.138 142.250.154.113 142.250.154.139 142.250.154.102 142.250.154.101 142.250.154.100	whitelisted
mcpedl.org	104.21.19.193 172.67.188.147	unknown
accounts.google.com	142.251.127.84	whitelisted
counter.yadro.ru	88.212.202.52 88.212.201.204 88.212.201.198	whitelisted
content-autofill.googleapis.com	142.251.20.95 142.251.14.95 142.251.13.95 142.251.110.95 142.250.154.95 142.251.127.95 192.178.183.95	whitelisted
www.googletagmanager.com	142.251.127.97	whitelisted
region1.google-analytics.com	216.239.32.36 216.239.34.36	whitelisted
connectivitycheck.gstatic.com	192.178.183.94	whitelisted

Threats

PID	Process	Class	Message
3970	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3970	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
3970	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3970	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3970	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)

Add for printing

No debug info

General Info

https://mcpedl.org/minecraft-pe-26-30-21-apk/

3F566C37BAC537748329B3B1885C0753

4FE06BB2FE4EE079A870C062F22592E39507F0A6

01FFBD4FED440B7F00A96B46A8064CFAF4DC5D39021DBCBC208465E4ED4AA16A

3:N8TADDPhg8iDn:2MXPhgz

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Executes system commands or scripts

SUSPICIOUS

Cpu information query suggesting anti-analysis behavior

Updates data in the storage of application settings (SharedPreferences)

Accesses memory information

Accesses external device storage files

Accesses system-level resources

Establishing a connection

Collects data about the device's environment (JVM version)

Checks Bluetooth audio routing status

Uses encryption API functions

Returns the name of the current network operator

INFO

Loads a native library into the application

Retrieves data from storage of application settings (SharedPreferences)

Retrieves CPU core information

Dynamically registers broadcast event listeners

Retrieves the value of a secure system setting

Dynamically inspects or modifies classes, methods, and fields at runtime

Detects device power status

Verifies whether the device is connected to the internet

Returns elapsed time since boot

Dynamically loads a class in Java

Gets the display metrics associated with the device's screen

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings