Malware analysis MinecraftInstaller.msi Malicious activity

Add for printing

File name:	MinecraftInstaller.msi
Full analysis:	https://app.any.run/tasks/309293db-af8f-4bf2-a590-3a9043b800da
Verdict:	Malicious activity
Analysis date:	August 12, 2024, 22:57:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Minecraft Launcher, Author: Mojang, Keywords: Installer, Comments: This installer database contains the logic and data required to install Minecraft Launcher., Template: Intel;1033, Revision Number: {BC990100-219F-4A7E-BCD6-B88F054547B7}, Create Time/Date: Tue Feb 13 23:03:12 2024, Last Saved Time/Date: Tue Feb 13 23:03:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.9.1006.0), Security: 2
MD5:	02D7F8E22149E154487F2FDDDFCEC8C5
SHA1:	390019B5F2C24F14DD398AB4BA8BEF0183A923AF
SHA256:	D9618862A64DA8A5C86F2C9CDE65B48AB92FF8BBC14D5F3C7946539A44E2DB17
SSDEEP:	98304:RezMF/MeIPrST1vMe5clIIoN2KIZd0O99oU1aikVB8VBlMo/tIB:6y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Drops the executable file immediately after the start
  - msiexec.exe (PID: 6728)
  - msiexec.exe (PID: 6860)
  - NativeUpdater.exe (PID: 7964)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 7136)
- Executes as Windows Service
  - VSSVC.exe (PID: 7028)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 6860)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6860)
- Process drops legitimate windows executable
  - MinecraftLauncher.exe (PID: 8024)
- Executable content was dropped or overwritten
  - MinecraftLauncher.exe (PID: 7136)
  - NativeUpdater.exe (PID: 7964)
  - MinecraftLauncher.exe (PID: 8024)
- Application launched itself
  - MinecraftLauncher.exe (PID: 8024)
INFO
- Checks proxy server information
  - msiexec.exe (PID: 6728)
  - MinecraftLauncher.exe (PID: 7136)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 3188)
  - MinecraftLauncher.exe (PID: 6056)
  - MinecraftLauncher.exe (PID: 7572)
  - MinecraftLauncher.exe (PID: 3360)
  - MinecraftLauncher.exe (PID: 1048)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 6728)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 6728)
  - MinecraftLauncher.exe (PID: 7136)
  - NativeUpdater.exe (PID: 7964)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 7572)
- Checks supported languages
  - msiexec.exe (PID: 6860)
  - msiexec.exe (PID: 6724)
  - TextInputHost.exe (PID: 6296)
  - msiexec.exe (PID: 7092)
  - msiexec.exe (PID: 5400)
  - NativeUpdater.exe (PID: 7964)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 6056)
  - MinecraftLauncher.exe (PID: 3188)
  - MinecraftLauncher.exe (PID: 3360)
  - MinecraftLauncher.exe (PID: 7572)
  - MinecraftLauncher.exe (PID: 1048)
  - MinecraftLauncher.exe (PID: 7136)
- Reads the computer name
  - msiexec.exe (PID: 6860)
  - msiexec.exe (PID: 6724)
  - TextInputHost.exe (PID: 6296)
  - msiexec.exe (PID: 7092)
  - msiexec.exe (PID: 5400)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 7136)
  - MinecraftLauncher.exe (PID: 3188)
  - MinecraftLauncher.exe (PID: 6056)
  - MinecraftLauncher.exe (PID: 3360)
  - MinecraftLauncher.exe (PID: 7572)
  - MinecraftLauncher.exe (PID: 1048)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6728)
  - msiexec.exe (PID: 6860)
- Reads the software policy settings
  - msiexec.exe (PID: 6728)
  - msiexec.exe (PID: 6860)
  - MinecraftLauncher.exe (PID: 8024)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 6860)
  - MinecraftLauncher.exe (PID: 8024)
- Manual execution by a user
  - MinecraftLauncher.exe (PID: 7136)
  - firefox.exe (PID: 6868)
  - WinRAR.exe (PID: 6732)
- Application launched itself
  - firefox.exe (PID: 6868)
  - firefox.exe (PID: 3700)
- Creates files in the program directory
  - MinecraftLauncher.exe (PID: 7136)
  - MinecraftLauncher.exe (PID: 8024)
  - WinRAR.exe (PID: 6732)
- Reads Environment values
  - MinecraftLauncher.exe (PID: 7136)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 3188)
  - MinecraftLauncher.exe (PID: 6056)
  - MinecraftLauncher.exe (PID: 7572)
  - MinecraftLauncher.exe (PID: 1048)
  - MinecraftLauncher.exe (PID: 3360)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 3700)
- Process checks computer location settings
  - MinecraftLauncher.exe (PID: 1048)
  - MinecraftLauncher.exe (PID: 8024)
  - MinecraftLauncher.exe (PID: 3360)
- Create files in a temporary directory
  - MinecraftLauncher.exe (PID: 8024)
- Creates a software uninstall entry
  - msiexec.exe (PID: 6860)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (95.3)
.doc	\|	Microsoft Word document (old ver.) (3.2)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Minecraft Launcher
Author:	Mojang
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Minecraft Launcher.
Template:	Intel;1033
RevisionNumber:	{BC990100-219F-4A7E-BCD6-B88F054547B7}
CreateDate:	2024:02:13 23:03:12
ModifyDate:	2024:02:13 23:03:12
Pages:	200
Words:	2
Software:	Windows Installer XML Toolset (3.9.1006.0)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

173

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1048

"C:\Program Files (x86)\hhhh\Minecraft Launcher\MinecraftLauncher.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=2328,i,3269271760247734166,12882409912904554043,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files (x86)\hhhh\Minecraft Launcher\MinecraftLauncher.exe

—

MinecraftLauncher.exe

User:

admin

Company:

Mojang

Integrity Level:

MEDIUM

Description:

Minecraft Launcher

Version:

1.0.1.0

Modules

Images
c:\program files (x86)\hhhh\minecraft launcher\minecraftlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1140

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6044 -childID 8 -isForBrowser -prefsHandle 6020 -prefMapHandle 6008 -prefsLen 31937 -prefMapSize 244343 -jsInitHandle 1504 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a0c4b83-7031-4849-bc29-de070ff5037c} 3700 "\\.\pipe\gecko-crash-server-pipe.3700" 21b32227d90 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2068

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 30953 -prefMapSize 244343 -jsInitHandle 1504 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fef180f0-ceca-4df1-bca3-258c989440c0} 3700 "\\.\pipe\gecko-crash-server-pipe.3700" 21b2cd68850 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2476

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2960

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20240213221259 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 30537 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef632acf-2bb1-4b1e-854c-5990ed5769e0} 3700 "\\.\pipe\gecko-crash-server-pipe.3700" 21b275e0e10 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3188

"C:\Program Files (x86)\hhhh\Minecraft Launcher\MinecraftLauncher.exe" --type=gpu-process --no-sandbox --log-severity=info --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\admin\AppData\Roaming\.minecraft" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2176 --field-trial-handle=2328,i,3269271760247734166,12882409912904554043,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files (x86)\hhhh\Minecraft Launcher\MinecraftLauncher.exe

—

MinecraftLauncher.exe

User:

admin

Company:

Mojang

Integrity Level:

MEDIUM

Description:

Minecraft Launcher

Version:

1.0.1.0

Modules

Images
c:\program files (x86)\hhhh\minecraft launcher\minecraftlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3360

"C:\Program Files (x86)\hhhh\Minecraft Launcher\MinecraftLauncher.exe" --type=renderer --log-severity=info --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --launcherui --workdir="C:\Users\admin\AppData\Roaming\.minecraft" --no-sandbox --log-file="C:\Users\admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=2328,i,3269271760247734166,12882409912904554043,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files (x86)\hhhh\Minecraft Launcher\MinecraftLauncher.exe

—

MinecraftLauncher.exe

User:

admin

Company:

Mojang

Integrity Level:

MEDIUM

Description:

Minecraft Launcher

Version:

1.0.1.0

Modules

Images
c:\program files (x86)\hhhh\minecraft launcher\minecraftlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3700

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3992

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

5084

C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}

C:\Windows\SysWOW64\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

38 875

Read events

38 554

Write events

301

Delete events

Modification events


(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 480000000000000086DF652C0BEDDA01CC1A00008C1B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 480000000000000086DF652C0BEDDA01CC1A00008C1B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000AFC8CE2C0BEDDA01CC1A00008C1B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000AFC8CE2C0BEDDA01CC1A00008C1B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000E17CD32C0BEDDA01CC1A00008C1B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 48000000000000002044D82C0BEDDA01CC1A00008C1B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000CC1C4D2D0BEDDA01CC1A00008C1B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6860) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 480000000000000069804F2D0BEDDA01CC1A000058190000E80300000100000000000000000000001B1013C38CD942488BCB87F3DEA8E2B100000000000000000000000000000000
(PID) Process:	(7028) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 480000000000000082C15D2D0BEDDA01741B0000FC0C0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

458

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6860	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6728	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956		der
		MD5:FC1193C6345AC35188AA3DE0F824CEB7	SHA256:BDFB8FAFF4C0C0A15C642890A5544BD32F930F55CA199470DBD4736A32D6E200
6728	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:8864083F21B93932E49CB727BE4D78F0	SHA256:F007A627BCC58CBB1F670D3715EBBD9AD3CFDE37BE46A201FE3CA4587194E6B0
6728	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:FB64A9EBEDF48D3895381D5B7D80743D	SHA256:EA21D495930AD76F267A33A0F593DBF0C7EA75E457FCAE49A29DAAD8BD920F42
6860	msiexec.exe	C:\Windows\Installer\MSI3FD1.tmp		executable
		MD5:785EE78478D43F00870E91FA96B94646	SHA256:B8665993CD5F7224E35C122A5C1965F8C4F2B4D9D41F75160B515E66F9AFFC53
6860	msiexec.exe	C:\Windows\Installer\MSI3F72.tmp		executable
		MD5:785EE78478D43F00870E91FA96B94646	SHA256:B8665993CD5F7224E35C122A5C1965F8C4F2B4D9D41F75160B515E66F9AFFC53
6860	msiexec.exe	C:\Windows\Temp\~DF33110224D68C7A1B.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6860	msiexec.exe	C:\Windows\Installer\MSI3F71.tmp		binary
		MD5:702225F22853B19112DB9AB044F906BC	SHA256:036B1C00CF91BDD88B653688F767E1A3975FACC755ABAEEE59CE779CFA9A5EB4
6860	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:5B29412C09846E158107E8ED39045FD7	SHA256:97794B14AB0C40983665751D3ABE760AE96E748DEBE5A4F5B76B3C21AB8F7FE8
6860	msiexec.exe	C:\Windows\Installer\{6A960B34-5197-49DE-AC60-1177DFE24976}\minecraft.ico		image
		MD5:1D4B0CC64CAFCBC3E70ADFC5DAA2F627	SHA256:57E3C89D247B4E2E419AE0F9DD3DA075AF8C73281DE26179EF04C1F2C0EF37E2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

158

DNS requests

177

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2324	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2324	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6484	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3700	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
6424	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3700	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
3700	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	unknown
3700	firefox.exe	POST	200	2.16.202.121:80	http://r11.o.lencr.org/	unknown	—	—	unknown
3700	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
1420	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	2.23.209.187:443	www.bing.com	Akamai International B.V.	GB	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2324	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.11.168.232 51.104.136.2	whitelisted
google.com	172.217.16.206	whitelisted
www.bing.com	2.23.209.187 2.23.209.130 2.23.209.185 2.23.209.189 2.23.209.179 2.23.209.182 2.23.209.133 2.23.209.140 2.23.209.149	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.67 20.190.159.2 20.190.159.68 20.190.159.64 20.190.159.4 40.126.31.69 20.190.159.23 20.190.159.71	whitelisted
client.wns.windows.com	40.113.103.199 40.115.3.253	whitelisted
www.microsoft.com	104.79.89.142	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted
th.bing.com	2.23.209.130 2.23.209.133 2.23.209.187 2.23.209.140 2.23.209.189 2.23.209.149 2.23.209.182 2.23.209.179 2.23.209.185	whitelisted
arc.msn.com	20.103.156.88	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO File Sharing Service Domain in DNS Lookup (dropmefiles .com)
2256	svchost.exe	Misc activity	ET INFO File Sharing Service Domain in DNS Lookup (dropmefiles .com)
2256	svchost.exe	Misc activity	ET INFO File Sharing Service Domain in DNS Lookup (dropmefiles .com)
2256	svchost.exe	Misc activity	ET INFO File Sharing Service Domain in DNS Lookup (dropmefiles .com)
2256	svchost.exe	Misc activity	ET INFO File Sharing Service Domain in DNS Lookup (dropmefiles .com)
3700	firefox.exe	Misc activity	ET INFO Observed File Sharing Service Domain (dropmefiles .com in TLS SNI)
3700	firefox.exe	Misc activity	ET INFO Observed File Sharing Service Domain (dropmefiles .com in TLS SNI)
3700	firefox.exe	Misc activity	ET INFO Observed File Sharing Service Domain (dropmefiles .com in TLS SNI)
3700	firefox.exe	Misc activity	ET INFO Observed File Sharing Service Domain (dropmefiles .com in TLS SNI)
3700	firefox.exe	Misc activity	ET INFO Observed File Sharing Service Domain (dropmefiles .com in TLS SNI)

Add for printing

Process	Message
MinecraftLauncher.exe	[0812/230253.921:INFO:main_context.cpp(131)] CEF initialized successfully.
MinecraftLauncher.exe	[0812/230253.921:INFO:main_context.cpp(133)] CEF version: 99.2.14+g3f796b8+chromium-99.0.4844.84

General Info

MinecraftInstaller.msi

02D7F8E22149E154487F2FDDDFCEC8C5

390019B5F2C24F14DD398AB4BA8BEF0183A923AF

D9618862A64DA8A5C86F2C9CDE65B48AB92FF8BBC14D5F3C7946539A44E2DB17

98304:RezMF/MeIPrST1vMe5clIIoN2KIZd0O99oU1aikVB8VBlMo/tIB:6y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Drops the executable file immediately after the start

Executes as Windows Service

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Executable content was dropped or overwritten

Application launched itself

INFO

Checks proxy server information

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

Reads the software policy settings

Reads the machine GUID from the registry

Manual execution by a user

Application launched itself

Creates files in the program directory

Reads Environment values

Reads Microsoft Office registry keys

Process checks computer location settings

Create files in a temporary directory

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings