File verdict·Decided by the MT AI Engine

Our call

Safe

Item: MinecraftInstaller.exe
Rating: 4.5
Author: MalwareTips File Scanner

Microsoft-signed Minecraft installer shows clean engine results, high prevalence, and contacts legitimate PlayFab services despite some heuristic flags on packing and MITRE techniques.

Verified · Microsoft Corporation

Trust score92High trust

MT AI confidence · 90%

MinecraftInstaller.exe

32.3 MB

0fc1ded9a9459789b7…e7c8e2bf17

Antivirus engines

0 of 74 flagged

Code signing

Signed by Microsoft Corporation

Age

First seen 1y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

90%Confidence

Very high

Reasoning

Zero malicious detections from strong coverage, combined with Microsoft's verified trusted signature, anchor this as safe under signed commercial criteria. High submission prevalence and age support commodity legitimacy, while contacted PlayFab URLs confirm expected game-service behaviour. Heuristics like process injection flags appear tied to sandbox observations (e.g., svchost/lsass processes) rather than confirmed threats, and YARA hits lack engine corroboration. Similar imphash priors were suspicious but lacked this signer strength.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

signing.trustedPublisher.matched=true ('Microsoft')
engines.tier1Malicious=0 / 17 tier1 clean (Avast/AVG/Avira/BitDefender/etc.)
prevalence: 36404 submissions / common_old
contactedUrls: 'https://b7b52.playfabapi.com' (PlayFab, MS gaming backend)
filenameAnalysis.hasInstallerHint=true ('MinecraftInstaller.exe')

Points in its favour

0/70 engines malicious, 17 tier1 clean
signing: Microsoft trustedPublisher.matched
prevalence: common_old (36k submissions)
No malicious sandbox/dropped children/hosts
hasInstallerHint=true, PlayFab game backend contacts

Points against

High code entropy (7.495) and likelyPacked=true
triggeredHeuristics: ProcessInjection (T1055), CredentialDumper (LSASS)
externalIntel.yaraify.ruleCount=15 including debugger/PowerShell rules
similarHashes: 3 suspicious priors by imphash
behaviour: direct IP contacts (16 IPs, though domain-resolved)
tags: detect-debug-environment, long-sleeps

What to do

This file is safe to run, consistent with legitimate Microsoft-signed Minecraft software. Always download installers from official Mojang/Microsoft sites to ensure authenticity.

Threat family attribution

adonunix2 corroborated by 1 source

15 YARA rules
adonunix2, BitcoinAddress, DebuggerCheck__API

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1010T1012T1027T1027.002T1036T1055T1059T1071T1082T1083T1095T1106T1112T1497T1497.001T1518.001T1547.001T1562.001T1573T1574.002T1620

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\program.exe"

$(unnamed)

C:\Windows\system32\services.exe

$(unnamed)

C:\Windows\System32\svchost.exe -k NetworkService -p

$(unnamed)

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

$(unnamed)

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

$(unnamed)

C:\Windows\system32\lsass.exe

$(unnamed)

C:\Windows\system32\svchost.exe -k LocalService -s W32Time

$(unnamed)

%SAMPLEPATH%\MinecraftInstaller.exe

+7 more processes captured.

Network activity

IP addresses20

20.42.183.39
20.42.182.104
20.99.133.109
184.27.218.92
23.55.140.42
20.96.153.111
23.196.145.221
20.42.183.33
23.32.75.164
20.69.140.28

+10 more

URLs2

https://b7b52.playfabapi.com:443/Client/LoginWithCustomID?sdk=CSharpSDK-1.108.220118
https://b7b52.playfabapi.com/Client/LoginWithCustomID?sdk=CSharpSDK-1.108.220118

Filesystem & mutexes

Files written5

C:\Users\<USER>\AppData\Local\MinecraftInstaller\deviceId.txt
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
C:\Users\user\AppData\Local\MinecraftInstaller
C:\Users\user\AppData\Local\MinecraftInstaller\deviceId.txt
C:\Users\user\AppData\Roaming

Files deleted1

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42

Mutexes created4

C898CC08-5DBF-4405-A5A1-4910C775BA15
\Sessions\1\BaseNamedObjects\C898CC08-5DBF-4405-A5A1-4910C775BA15
\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

27aaeea467a640cb0c6e…e7c824Never scanned
never seen before
26ab16c42676d51a31b7…949f10Never scanned
never seen before
5134fe13cd6babc5e6eb…6e04d1Never scanned
never seen before
1b25ba760ec5f766abad…a24a37Never scanned
never seen before
63f59089f0964e819e55…2294d1Never scanned
never seen before
107a402e4c346779e781…6651b8Never scanned
never seen before
b0014c02ae0f527cb6e6…f1006aNever scanned
never seen before
ca27bba98d1323a75fb2…58109cNever scanned
never seen before
248104811b883f53f176…8b8a29Never scanned
never seen before
a7d4d7270f2b33811a41…74252aNever scanned
never seen before

External threat intelligence

1 corroborating signal from researcher-curated sources

YARAify HIT·15 community rules matchedView on YARAify

adonunix2by Tim Brown @timb_machine
AD on UNIX
BitcoinAddressby Didier Stevens (@DidierStevens)
Contains a valid Bitcoin address
DebuggerCheck__API
DebuggerCheck__QueryInfo
Detect_PowerShell_Obfuscationby daniyyell
Detects obfuscated PowerShell commands commonly used in malicious scripts.

Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

5 YARAify3 synthesis

MITRE ATT&CK profile

Defense evasion× 1Cred access× 1C2× 1

YARAify (community)

Researcher-authored rules via abuse.ch

adonunix2
BitcoinAddress
DebuggerCheck__API
DebuggerCheck__QueryInfo
Detect_PowerShell_Obfuscation

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
C:\Windows\System32\svchost.exe -k NetworkService -p
CredentialDumper
T1003 T1003.001
medium
Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
Evidence
C:\Windows\system32\lsass.exe
DirectIpC2
T1071
medium
Sample contacted 16 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
20.42.183.39 · 20.42.182.104 · 20.99.133.109

Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-237 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 74 engines report this file as clean.

Hash 0fc1ded9a945… cross-referenced against 74 AV engines via our AV network.

PE forensics

Section entropy & packers

Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.

ent 7.50Likely packed

Section entropy3 sections

.text

7.72packed

.rsrc

5.25

.reloc

0.12

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

3,667

Hundreds of people have uploaded this — common.

Total submissions

36,404

Includes repeat uploads by the same source.

First seen by VT

1y ago

Apr 10, 2025

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

4/10/2025, 1:56:59 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/2/2026, 11:22:43 AM

Scanned here

5/2/2026, 11:30:13 AM

File name: MinecraftInstaller.exe
Size: 32.34 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 0fc1ded9a9459789b76104275682e603868181a0e1928ec0681810e7c8e2bf17
MD5: afc010d82c412d72c66f51768671a976
SHA-1: 5069c9d61d180af0ed8924cb951423fc4ca74511
PE imphash: f34d5f2d4577ed6d9ceec516c1f5a744
First seen (VT): 4/10/2025, 1:56:59 PM
Last analysis (VT): 5/2/2026, 11:22:43 AM
First scan (MalwareTips): 5/2/2026, 11:30:13 AM
Last scan (MalwareTips): 5/2/2026, 11:30:13 AM
Code signer: Microsoft Corporationverified
Community reputation: +11trusted

Behavior tags

signedlong-sleepsoverlaypeexeassemblydetect-debug-environment

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.