Malware Analysis Report

2025-01-02 11:50

Sample ID 230102-2gfjesgd48
Target mmc-stable-win32.zip
SHA256 2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
Tags
bazarbackdoor backdoor upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e

Threat Level: Known bad

The file mmc-stable-win32.zip was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor upx

BazarBackdoor

Bazar/Team9 Backdoor payload

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Blocklisted process makes network request

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-02 22:33

Signatures

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

26s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Network

N/A

Files

memory/1364-54-0x0000000000000000-mapping.dmp

memory/1364-55-0x0000000075611000-0x0000000075613000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Network

N/A

Files

memory/948-54-0x0000000000000000-mapping.dmp

memory/948-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

140s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 20.189.173.14:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/3500-132-0x0000000000000000-mapping.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

94s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Network

Country Destination Domain Proto
N/A 20.42.65.85:443 tcp
N/A 104.80.225.205:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/2520-132-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

26s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 264

Network

N/A

Files

memory/840-54-0x0000000000000000-mapping.dmp

memory/840-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

memory/2024-56-0x0000000000000000-mapping.dmp

memory/840-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/840-58-0x0000000061940000-0x0000000061EB5000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

112s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4420 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4420 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 716

Network

Country Destination Domain Proto
N/A 52.178.17.2:443 tcp
N/A 52.109.76.31:443 tcp

Files

memory/4952-132-0x0000000000000000-mapping.dmp

memory/4952-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220812-en

Max time kernel

41s

Max time network

45s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 264

Network

N/A

Files

memory/1120-54-0x0000000000000000-mapping.dmp

memory/1120-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/1120-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/916-56-0x0000000000000000-mapping.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 5104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5092 wrote to memory of 5104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5092 wrote to memory of 5104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 20.189.173.4:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/5104-132-0x0000000000000000-mapping.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

30s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Network

N/A

Files

memory/1748-54-0x0000000000000000-mapping.dmp

memory/1748-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 264

Network

N/A

Files

memory/1512-54-0x0000000000000000-mapping.dmp

memory/1512-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

memory/936-56-0x0000000000000000-mapping.dmp

memory/1512-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20221111-en

Max time kernel

112s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 40.79.189.58:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2612-132-0x0000000000000000-mapping.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 1724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Network

N/A

Files

memory/1724-54-0x0000000000000000-mapping.dmp

memory/1724-55-0x00000000760D1000-0x00000000760D3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

141s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 848 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 848 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2028 -ip 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 676

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/2028-132-0x0000000000000000-mapping.dmp

memory/2028-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/2028-134-0x0000000061940000-0x0000000061EB5000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

129s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 676

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 52.182.143.210:443 tcp

Files

memory/2400-132-0x0000000000000000-mapping.dmp

memory/2400-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 276

Network

N/A

Files

memory/1256-54-0x0000000000000000-mapping.dmp

memory/1256-55-0x0000000076391000-0x0000000076393000-memory.dmp

memory/1700-56-0x0000000000000000-mapping.dmp

memory/1256-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220901-en

Max time kernel

43s

Max time network

48s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Network

N/A

Files

memory/2032-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

memory/2032-64-0x0000000002400000-0x0000000005400000-memory.dmp

memory/2032-65-0x0000000002400000-0x0000000005400000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220812-en

Max time kernel

41s

Max time network

45s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar

Network

N/A

Files

memory/1992-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

memory/1992-64-0x00000000022B0000-0x00000000052B0000-memory.dmp

memory/1992-65-0x00000000022B0000-0x00000000052B0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20221111-en

Max time kernel

90s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3684 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3684 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 676

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 40.79.189.58:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.238.21.126:80 tcp

Files

memory/4828-132-0x0000000000000000-mapping.dmp

memory/4828-133-0x0000000002260000-0x00000000028A4000-memory.dmp

memory/4828-135-0x0000000002260000-0x00000000028A4000-memory.dmp

memory/4828-136-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4828-138-0x0000000061940000-0x0000000061EB5000-memory.dmp

memory/4828-139-0x0000000002260000-0x00000000028A4000-memory.dmp

memory/4828-140-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220901-en

Max time kernel

46s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Network

N/A

Files

memory/1776-54-0x0000000000000000-mapping.dmp

memory/1776-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

memory/1776-56-0x0000000002210000-0x0000000002854000-memory.dmp

memory/1776-58-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/1776-59-0x0000000061940000-0x0000000061EB5000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220901-en

Max time kernel

43s

Max time network

49s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Network

N/A

Files

memory/1748-54-0x0000000000000000-mapping.dmp

memory/1748-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

141s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 1864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3624 wrote to memory of 1864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3624 wrote to memory of 1864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 52.168.117.170:443 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp

Files

memory/1864-132-0x0000000000000000-mapping.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220812-en

Max time kernel

41s

Max time network

45s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1780 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Network

N/A

Files

memory/2028-54-0x0000000000000000-mapping.dmp

memory/2028-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220901-en

Max time kernel

90s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 4648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4644 wrote to memory of 4648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4644 wrote to memory of 4648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 51.132.193.104:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/4648-135-0x0000000000000000-mapping.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20221111-en

Max time kernel

59s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/3004-132-0x0000000000000000-mapping.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20221111-en

Max time kernel

125s

Max time network

129s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar

Network

Country Destination Domain Proto
N/A 20.189.173.15:443 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/4616-134-0x0000000002E40000-0x0000000003E40000-memory.dmp

memory/4616-142-0x0000000002E40000-0x0000000003E40000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Network

N/A

Files

memory/1652-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

memory/1652-55-0x0000000000330000-0x0000000000348000-memory.dmp

memory/1652-56-0x0000000000DE0000-0x0000000001424000-memory.dmp

memory/1652-58-0x0000000070940000-0x000000007095C000-memory.dmp

memory/1652-59-0x0000000061740000-0x0000000061771000-memory.dmp

memory/1652-60-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/1652-61-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/1652-62-0x0000000061940000-0x0000000061EB5000-memory.dmp

memory/1652-63-0x0000000070940000-0x000000007095C000-memory.dmp

memory/1652-65-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/1652-64-0x0000000061740000-0x0000000061771000-memory.dmp

memory/1652-66-0x0000000063400000-0x0000000063415000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4204 -ip 4204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 676

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 20.189.173.2:443 tcp

Files

memory/4204-132-0x0000000000000000-mapping.dmp

memory/4204-133-0x0000000002EB0000-0x0000000003425000-memory.dmp

memory/4204-135-0x0000000002EB0000-0x0000000003425000-memory.dmp

memory/4204-136-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4204-137-0x0000000002EB0000-0x0000000003425000-memory.dmp

memory/4204-138-0x0000000061DC0000-0x0000000062404000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20221111-en

Max time kernel

95s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 676

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
N/A 13.78.111.198:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/1988-132-0x0000000000000000-mapping.dmp

memory/1988-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220812-en

Max time kernel

137s

Max time network

148s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 13.69.109.130:443 tcp

Files

memory/4324-141-0x0000000002410000-0x0000000003410000-memory.dmp

memory/4324-142-0x0000000002410000-0x0000000003410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win10v2004-20220901-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre1.8.0_351\installer.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIE8A9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE04A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180351F0} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c33b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58c33b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID8C7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE6C3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c33e.msi C:\Windows\system32\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\PackageCode = "97BA944EF7A3CCC4488541CAD6E00626" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\PackageName = "jre1.8.0_35164.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F\jrecore C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_351\\\\bin\\javaws.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 5072 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 5072 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
PID 5072 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
PID 5072 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\ProgramData\Oracle\Java\javapath\javaw.exe
PID 5072 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\ProgramData\Oracle\Java\javapath\javaw.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2384 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\ProgramData\Oracle\Java\javapath\javaw.exe

javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.481424582\1068854234" -parentBuildID 20200403170909 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 1 -prefMapSize 219940 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1816 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.1862060731\141440575" -childID 1 -isForBrowser -prefsHandle 2492 -prefMapHandle 2420 -prefsLen 112 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2548 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.13.352290668\1301072536" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 6894 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3556 tab

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

"C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"

C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe

"C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 2B64827738D1A9249EE11EE6FAA2B2CC

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x30c 0x35c

C:\Program Files\Java\jre1.8.0_351\installer.exe

"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}

C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\bspatch.exe

"bspatch.exe" baseimagefam8 newimage diff

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 files.multimc.org udp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 209.197.3.8:80 tcp
N/A 2.18.109.224:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 204.79.197.200:443 tcp
N/A 127.0.0.1:49795 tcp
N/A 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 8.8.8.8:53 search.services.mozilla.com udp
N/A 127.0.0.1:49798 tcp
N/A 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
N/A 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 34.160.46.54:443 search.services.mozilla.com tcp
N/A 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 8.8.8.8:53 search.r53-2.services.mozilla.com udp
N/A 8.8.8.8:53 search.r53-2.services.mozilla.com udp
N/A 8.8.8.8:53 shavar.services.mozilla.com udp
N/A 52.11.129.249:443 shavar.services.mozilla.com tcp
N/A 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 8.8.8.8:53 push.services.mozilla.com udp
N/A 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
N/A 8.8.8.8:53 autopush.prod.mozaws.net udp
N/A 8.8.8.8:53 autopush.prod.mozaws.net udp
N/A 54.187.102.159:443 push.services.mozilla.com tcp
N/A 8.8.8.8:53 a1887.dscq.akamai.net udp
N/A 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
N/A 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
N/A 8.8.8.8:53 a1887.dscq.akamai.net udp
N/A 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 8.8.8.8:53 snippets.cdn.mozilla.net udp
N/A 65.9.86.24:443 snippets.cdn.mozilla.net tcp
N/A 8.8.8.8:53 d228z91au11ukj.cloudfront.net udp
N/A 8.8.8.8:53 d228z91au11ukj.cloudfront.net udp
N/A 8.8.8.8:53 cs9.wac.phicdn.net udp
N/A 8.8.8.8:53 cs9.wac.phicdn.net udp
N/A 65.9.86.24:443 d228z91au11ukj.cloudfront.net tcp
N/A 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
N/A 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
N/A 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
N/A 88.221.25.176:80 a1887.dscq.akamai.net tcp
N/A 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
N/A 8.8.8.8:53 bdeeb3d3f2ce8abffd84fc3a380fc37c.clo.footprintdns.com udp
N/A 8.8.8.8:53 www.facebook.com udp
N/A 8.8.8.8:53 www.wikipedia.org udp
N/A 8.8.8.8:53 star-mini.c10r.facebook.com udp
N/A 8.8.8.8:53 youtube-ui.l.google.com udp
N/A 8.8.8.8:53 dyna.wikimedia.org udp
N/A 8.8.8.8:53 youtube-ui.l.google.com udp
N/A 8.8.8.8:53 star-mini.c10r.facebook.com udp
N/A 20.108.172.194:443 bdeeb3d3f2ce8abffd84fc3a380fc37c.clo.footprintdns.com tcp
N/A 8.8.8.8:53 www.reddit.com udp
N/A 8.8.8.8:53 dyna.wikimedia.org udp
N/A 8.8.8.8:53 twitter.com udp
N/A 8.8.8.8:53 reddit.map.fastly.net udp
N/A 8.8.8.8:53 twitter.com udp
N/A 8.8.8.8:53 reddit.map.fastly.net udp
N/A 8.8.8.8:53 twitter.com udp
N/A 8.8.8.8:53 dual-s-ring.msedge.net udp
N/A 8.8.8.8:53 java.com udp
N/A 84.53.185.139:80 java.com tcp
N/A 8.8.8.8:53 java.com udp
N/A 8.8.8.8:53 java.com udp
N/A 8.8.8.8:53 www.java.com udp
N/A 84.53.185.179:80 www.java.com tcp
N/A 8.8.8.8:53 e91569.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e91569.dscx.akamaiedge.net udp
N/A 84.53.185.179:443 e91569.dscx.akamaiedge.net tcp
N/A 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
N/A 69.192.66.17:443 static.ocecdn.oraclecloud.com tcp
N/A 8.8.8.8:53 e11445.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e11445.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 s.go-mpulse.net udp
N/A 23.222.18.199:443 s.go-mpulse.net tcp
N/A 8.8.8.8:53 e4518.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e4518.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 www.oracle.com udp
N/A 95.101.125.213:443 www.oracle.com tcp
N/A 95.101.125.213:443 www.oracle.com tcp
N/A 8.8.8.8:53 e2581.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e2581.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 c.oracleinfinity.io udp
N/A 69.192.64.212:443 c.oracleinfinity.io tcp
N/A 8.8.8.8:53 e11123.x.akamaiedge.net udp
N/A 8.8.8.8:53 e11123.x.akamaiedge.net udp
N/A 8.8.8.8:53 c.go-mpulse.net udp
N/A 104.73.135.233:443 c.go-mpulse.net tcp
N/A 8.8.8.8:53 e4518.dscapi7.akamaiedge.net udp
N/A 8.8.8.8:53 e4518.dscapi7.akamaiedge.net udp
N/A 8.8.8.8:53 consent.trustarc.com udp
N/A 18.65.39.5:443 consent.trustarc.com tcp
N/A 8.8.8.8:53 consent.trustarc.com udp
N/A 8.8.8.8:53 consent.trustarc.com udp
N/A 8.8.8.8:53 dc.oracleinfinity.io udp
N/A 138.1.45.89:443 dc.oracleinfinity.io tcp
N/A 8.8.8.8:53 dc.oracleinfinity.io.akadns.net udp
N/A 8.8.8.8:53 dc.oracleinfinity.io.akadns.net udp
N/A 127.0.0.1:49805 tcp
N/A 8.8.8.8:53 oracle.112.2o7.net udp
N/A 15.236.176.210:443 oracle.112.2o7.net tcp
N/A 8.8.8.8:53 oracle.112.2o7.net udp
N/A 8.8.8.8:53 oracle.112.2o7.net udp
N/A 138.1.45.89:443 dc.oracleinfinity.io.akadns.net tcp
N/A 138.1.45.89:443 dc.oracleinfinity.io.akadns.net tcp
N/A 138.1.45.89:443 dc.oracleinfinity.io.akadns.net tcp
N/A 138.1.45.89:443 dc.oracleinfinity.io.akadns.net tcp
N/A 8.8.8.8:53 javadl.oracle.com udp
N/A 69.192.71.29:443 javadl.oracle.com tcp
N/A 8.8.8.8:53 e13073.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e13073.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 sdlc-esd.oracle.com udp
N/A 104.85.4.85:443 sdlc-esd.oracle.com tcp
N/A 8.8.8.8:53 e2875.dscd.akamaiedge.net udp
N/A 8.8.8.8:53 e2875.dscd.akamaiedge.net udp
N/A 8.8.8.8:53 javadl-esd-secure.oracle.com udp
N/A 23.222.50.60:443 javadl-esd-secure.oracle.com tcp

Files

memory/5072-132-0x00000000013F0000-0x0000000001965000-memory.dmp

memory/5072-134-0x0000000000C81000-0x0000000000C83000-memory.dmp

memory/5072-136-0x0000000070940000-0x000000007095C000-memory.dmp

memory/5072-135-0x00000000013F0000-0x0000000001965000-memory.dmp

memory/5072-137-0x0000000061740000-0x0000000061771000-memory.dmp

memory/5072-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/5072-139-0x0000000000400000-0x00000000009FB000-memory.dmp

memory/5072-140-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/5072-143-0x0000000061740000-0x0000000061771000-memory.dmp

memory/5072-142-0x0000000070940000-0x000000007095C000-memory.dmp

memory/5072-144-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/5072-145-0x0000000063400000-0x0000000063415000-memory.dmp

memory/5072-141-0x00000000013F0000-0x0000000001965000-memory.dmp

memory/5072-146-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/5072-147-0x0000000000400000-0x00000000009FB000-memory.dmp

memory/5072-148-0x00000000053F0000-0x0000000005602000-memory.dmp

memory/5072-150-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/5072-151-0x00000000013F0000-0x0000000001965000-memory.dmp

memory/5072-153-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/5072-152-0x0000000070940000-0x000000007095C000-memory.dmp

memory/3848-154-0x0000000000000000-mapping.dmp

memory/668-155-0x0000000000000000-mapping.dmp

memory/5108-156-0x0000000000000000-mapping.dmp

memory/5072-158-0x0000000005BA0000-0x0000000005BB1000-memory.dmp

memory/5108-174-0x00000000026A0000-0x00000000036A0000-memory.dmp

memory/5108-175-0x00000000026A0000-0x00000000036A0000-memory.dmp

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

memory/3688-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 c6719d819e76b65fc830638cad989495
SHA1 b7af70473c4a16229c606bfdec00f3f911f97baa
SHA256 19438ee9d7338c878b0d03d60aeff8f07176491f93316dd58d4fc173d24d0722
SHA512 2c2003113aa26c3bceeb0d0a99052ae72e8fad217fbd8248563e25fff5b0cb3d845da0144de3cc25a74e296bd4e486383b76348f4ed78ce8671ca5445189a902

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

MD5 1794aaa17d114a315a95473c9780fc8b
SHA1 7f250c022b916b88e22254985e7552bc3ac8db04
SHA256 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4
SHA512 fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

memory/1996-184-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSID8C7.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSID8C7.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 da8ecc08eb7fbf221569009f53a4b1c2
SHA1 70f358017e691d15b41bccd892cf438ec096e359
SHA256 7de8f286eaaefbab6f46038508b432da5b4da5416c642200711a9557e9d49ec1
SHA512 d2e8d21bf1503ba033d43d42e96e410327d4416c57718890be12911832fb455fd88ed6b924d06fba0f1930d1ebf4425cb3f115074a29b13a604b5dfe933c7b2f

C:\Windows\Installer\MSIE04A.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSIE04A.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSIE8A9.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSIE8A9.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Program Files\Java\jre1.8.0_351\installer.exe

MD5 9d00765d8cfbf29a67df737d72235d42
SHA1 be2b18518ab9637b591cc5183907c838dfa8bbe1
SHA256 751fdf82b0f79dc638396012b0586b47b4653ac3d8eddc82d406ad9ce23717c4
SHA512 ce58d644af56c0ce4d4576352f210bf0f8d1664fe1ca2d601107b0d88822d4e814f7db7dc9cbdbc5373421a4a99fef2e94b3faeff405cf9181d67e70e797e674

C:\Program Files\Java\jre1.8.0_351\installer.exe

MD5 15932bc1024e21814ddc50ec5933eb63
SHA1 ba32b13da021c1e1915965db944801ee35e69731
SHA256 6039c13d54c9ea650b02f5ccda851af15a8d3f1ee57b211bf060b9768bf08326
SHA512 cd44a5389d6e837b857ce5cd0915fde8926270cd6ed0628c11d1ca530174e559a1feb90250221ba8415cc0d59e9938d67fafed2790cb5accdf0d8548b55bdfa8

memory/1576-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 890e0f2a76f3e1ed4881423907b2e441
SHA1 93421b2613dd0fc843d5ec3228e97e3e21d78146
SHA256 f7653787dce01dcf91c25cd4a0e61029f2183f0cd3e6b57989c2b0a984cd9721
SHA512 49fc61cae65d94beac7a205ec44cab120f075630011c77e2b8a46331a7a398ef97b57acf83d94743f8328d6b70f419bd8f7b3521d355b144cb145854132f4494

C:\Windows\Installer\e58c33e.msi

MD5 9b6ae323688ef74d84fb0cc1733049f2
SHA1 c97fb8b93875d4cee5fc80657801f6980b2961b7
SHA256 83f24df73799096068af328fdbf8bd5bf78e753dbbf4d84b0ad60599bd1f7f88
SHA512 19bb123246164277ea9519876549af8d2e1a574b0646a459f32382f9ce199f765858878171bf4a7fc38e6de3d7716e5094ccc9382274e0852e50a341662741f6

C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

memory/688-197-0x0000000000000000-mapping.dmp

C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\baseimagefam8

MD5 2ef7f4d7011244fa056be79ad8f5f221
SHA1 c04a0f01dcaaf245f6f7e2b05594dabb448d9cb1
SHA256 7c3ac9e38fd3cb809f77a7a2ea6fa854add633e0c5a45ca2b15f2bfe0eee9778
SHA512 7518cc1ca1e6461d7bf8d9854f200ac5cfd9c0ef645b6db7c1f4d83370d88f9eaff3c6270b63dc3c7598439b01decec34005b47154c367fd851bdc921498ac9e

C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\diff

MD5 b0aeed985cb463f871ebbd8a0611f31c
SHA1 305d4d5ec09ab0a6e94d561e3b2f583d043199ae
SHA256 840a28fa08732bff67c0f992a338a16db218cd546881c77486c07bdc9ffa7650
SHA512 f2268c5bc01832942f5f710ddcf742a363f1b83a3946ee9d8acd0f6dde7d496767bfd5c7fd4d13ab0b089b10604e81695deb8d62499e202b488ea8080ba828ef

Analysis: behavioral25

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

27s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Network

N/A

Files

memory/1324-54-0x0000000000000000-mapping.dmp

memory/1324-55-0x0000000075F51000-0x0000000075F53000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-01-02 22:32

Reported

2023-01-02 22:36

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Network

N/A

Files

memory/972-54-0x0000000000000000-mapping.dmp

memory/972-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

memory/972-56-0x0000000001FE0000-0x0000000002555000-memory.dmp

memory/972-58-0x0000000068880000-0x0000000068DAF000-memory.dmp