File name:

MinecraftInstaller.msi

Full analysis: https://app.any.run/tasks/89e4c945-b9ab-4881-ab30-fd89acd36714
Verdict: Malicious activity
Analysis date: April 11, 2024, 12:38:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Minecraft Launcher, Author: Mojang, Keywords: Installer, Comments: This installer database contains the logic and data required to install Minecraft Launcher., Template: Intel;1033, Revision Number: {BC990100-219F-4A7E-BCD6-B88F054547B7}, Create Time/Date: Tue Feb 13 23:03:12 2024, Last Saved Time/Date: Tue Feb 13 23:03:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.9.1006.0), Security: 2
MD5:

02D7F8E22149E154487F2FDDDFCEC8C5

SHA1:

390019B5F2C24F14DD398AB4BA8BEF0183A923AF

SHA256:

D9618862A64DA8A5C86F2C9CDE65B48AB92FF8BBC14D5F3C7946539A44E2DB17

SSDEEP:

98304:RezMF/MeIPrST1vMe5clIIoN2KIZd0O99oU1aikVB8VBlMo/tIB:6y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • NativeUpdater.exe (PID: 1728)
      • msiexec.exe (PID: 2120)
      • MinecraftLauncher.exe (PID: 3620)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2292)

    • Executable content was dropped or overwritten

      • NativeUpdater.exe (PID: 1728)
      • MinecraftLauncher.exe (PID: 3620)

    • Reads the Internet Settings

      • MinecraftLauncher.exe (PID: 1484)
      • MinecraftLauncher.exe (PID: 3620)

    • Process drops legitimate windows executable

      • MinecraftLauncher.exe (PID: 3620)

  • INFO

    • Checks supported languages

      • NativeUpdater.exe (PID: 1728)
      • MinecraftLauncher.exe (PID: 1484)
      • MinecraftLauncher.exe (PID: 3620)

    • Reads the computer name

      • MinecraftLauncher.exe (PID: 1484)
      • MinecraftLauncher.exe (PID: 3620)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2120)

    • Creates files or folders in the user directory

      • NativeUpdater.exe (PID: 1728)
      • MinecraftLauncher.exe (PID: 1484)
      • MinecraftLauncher.exe (PID: 3620)

    • Reads product name

      • MinecraftLauncher.exe (PID: 1484)
      • MinecraftLauncher.exe (PID: 3620)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2120)

    • Reads the software policy settings

      • msiexec.exe (PID: 2120)

    • Reads Environment values

      • MinecraftLauncher.exe (PID: 1484)
      • MinecraftLauncher.exe (PID: 3620)

    • Manual execution by a user

      • MinecraftLauncher.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (95.3)
.doc | Microsoft Word document (old ver.) (3.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Minecraft Launcher
Author: Mojang
Keywords: Installer
Comments: This installer database contains the logic and data required to install Minecraft Launcher.
Template: Intel;1033
RevisionNumber: {BC990100-219F-4A7E-BCD6-B88F054547B7}
CreateDate: 2024:02:13 23:03:12
ModifyDate: 2024:02:13 23:03:12
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.9.1006.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe vssvc.exe no specs nativeupdater.exe minecraftlauncher.exe minecraftlauncher.exe

Process information

PID
CMD
Path
Indicators
Parent process
1484MinecraftLauncher.exeC:\Program Files\Minecraft Launcher\MinecraftLauncher.exe
NativeUpdater.exe
User:
admin
Company:
Mojang
Integrity Level:
MEDIUM
Description:
Minecraft Launcher
Exit code:
1
Version:
1.0.1.0
Modules
Images
c:\program files\minecraft launcher\minecraftlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1728tools\NativeUpdater.exe MinecraftLauncher.exe "C:\Program Files\Minecraft Launcher\update_files\Minecraft.exe"C:\Program Files\Minecraft Launcher\tools\NativeUpdater.exe
MinecraftLauncher.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\minecraft launcher\tools\nativeupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
2120"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\MinecraftInstaller.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2292C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3620"C:\Program Files\Minecraft Launcher\MinecraftLauncher.exe" C:\Program Files\Minecraft Launcher\MinecraftLauncher.exe
explorer.exe
User:
admin
Company:
Mojang
Integrity Level:
MEDIUM
Description:
Minecraft Launcher
Version:
1.0.1.0
Modules
Images
c:\program files\minecraft launcher\minecraftlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
5 323
Read events
5 190
Write events
133
Delete events
0

Modification events

(PID) Process:(2120) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000036AB80370D8CDA01F408000074090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000036AB80370D8CDA01F408000068090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000036AB80370D8CDA01F4080000D8050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000036AB80370D8CDA01F40800003C090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000900D83370D8CDA01F408000074090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000900D83370D8CDA01F4080000D8050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000900D83370D8CDA01F408000068090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000EA6F85370D8CDA01F40800003C090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2292) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Enter)
Value:
40000000000000001EF853390D8CDA01F40800003C090000010400000100000000000000000000003333CDF2BB21A9479FBE1C8488110A950000000000000000
Executable files
9
Suspicious files
54
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2120msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI3E6B.tmpexecutable
MD5:
SHA256:
2120msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI6CA0.tmpexecutable
MD5:
SHA256:
1728NativeUpdater.exeC:\Program Files\Minecraft Launcher\MinecraftLauncher.exe.backupexecutable
MD5:
SHA256:
1728NativeUpdater.exeC:\Program Files\Minecraft Launcher\MinecraftLauncher.exeexecutable
MD5:
SHA256:
1728NativeUpdater.exeC:\Users\admin\AppData\Roaming\.minecraft\updateLog.txttext
MD5:
SHA256:
1728NativeUpdater.exeC:\Users\admin\AppData\Roaming\.minecraft\launcher_log.txttext
MD5:
SHA256:
1484MinecraftLauncher.exeC:\Users\admin\AppData\Roaming\.minecraft\launcher_log0.txt
MD5:
SHA256:
1484MinecraftLauncher.exeC:\Users\admin\AppData\Roaming\.minecraft\launcher_log.txttext
MD5:
SHA256:
3620MinecraftLauncher.exeC:\Users\admin\AppData\Roaming\.minecraft\launcher_log1.txttext
MD5:
SHA256:
3620MinecraftLauncher.exeC:\Users\admin\AppData\Roaming\.minecraft\staging\7e58a693592b275153c585e0cc2a9fab88c70f1fjava
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1816
MinecraftLauncher.exe
35.186.247.156:443
sentry.io
GOOGLE
US
unknown
1816
MinecraftLauncher.exe
13.107.213.64:443
redstone-launcher.mojang.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1484
MinecraftLauncher.exe
35.186.247.156:443
sentry.io
GOOGLE
US
unknown
1484
MinecraftLauncher.exe
13.107.213.64:443
redstone-launcher.mojang.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1484
MinecraftLauncher.exe
13.107.246.64:443
redstone-launcher.mojang.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3620
MinecraftLauncher.exe
35.186.247.156:443
sentry.io
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
redstone-launcher.mojang.com
  • 13.107.213.64
  • 13.107.246.64
unknown
sentry.io
  • 35.186.247.156
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MinecraftInstaller.msi