Analysis Overview
SHA256
2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
Threat Level: Known bad
The file mmc-stable-win32.zip was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-02 22:33
Signatures
Analysis: behavioral19
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
26s
Max time network
30s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1584 wrote to memory of 1364 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
Network
Files
memory/1364-54-0x0000000000000000-mapping.dmp
memory/1364-55-0x0000000075611000-0x0000000075613000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 992 wrote to memory of 948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
Network
Files
memory/948-54-0x0000000000000000-mapping.dmp
memory/948-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
140s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1728 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1728 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 20.189.173.14:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/3500-132-0x0000000000000000-mapping.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
94s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.85:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/2520-132-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
26s
Max time network
30s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 264
Network
Files
memory/840-54-0x0000000000000000-mapping.dmp
memory/840-55-0x0000000075A91000-0x0000000075A93000-memory.dmp
memory/2024-56-0x0000000000000000-mapping.dmp
memory/840-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/840-58-0x0000000061940000-0x0000000061EB5000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
112s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4420 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4420 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4420 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 716
Network
| Country | Destination | Domain | Proto |
| N/A | 52.178.17.2:443 | tcp | |
| N/A | 52.109.76.31:443 | tcp |
Files
memory/4952-132-0x0000000000000000-mapping.dmp
memory/4952-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220812-en
Max time kernel
41s
Max time network
45s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 264
Network
Files
memory/1120-54-0x0000000000000000-mapping.dmp
memory/1120-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
memory/1120-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/916-56-0x0000000000000000-mapping.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5092 wrote to memory of 5104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5092 wrote to memory of 5104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5092 wrote to memory of 5104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 20.189.173.4:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/5104-132-0x0000000000000000-mapping.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
30s
Max time network
34s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
Network
Files
memory/1748-54-0x0000000000000000-mapping.dmp
memory/1748-55-0x00000000759F1000-0x00000000759F3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 264
Network
Files
memory/1512-54-0x0000000000000000-mapping.dmp
memory/1512-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
memory/936-56-0x0000000000000000-mapping.dmp
memory/1512-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20221111-en
Max time kernel
112s
Max time network
140s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2500 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2500 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2500 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 40.79.189.58:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/2612-132-0x0000000000000000-mapping.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1216 wrote to memory of 1724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
Network
Files
memory/1724-54-0x0000000000000000-mapping.dmp
memory/1724-55-0x00000000760D1000-0x00000000760D3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 848 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2028 -ip 2028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/2028-132-0x0000000000000000-mapping.dmp
memory/2028-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/2028-134-0x0000000061940000-0x0000000061EB5000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
129s
Max time network
133s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3968 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3968 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3968 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 52.182.143.210:443 | tcp |
Files
memory/2400-132-0x0000000000000000-mapping.dmp
memory/2400-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
29s
Max time network
33s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 276
Network
Files
memory/1256-54-0x0000000000000000-mapping.dmp
memory/1256-55-0x0000000076391000-0x0000000076393000-memory.dmp
memory/1700-56-0x0000000000000000-mapping.dmp
memory/1256-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220901-en
Max time kernel
43s
Max time network
48s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar
Network
Files
memory/2032-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
memory/2032-64-0x0000000002400000-0x0000000005400000-memory.dmp
memory/2032-65-0x0000000002400000-0x0000000005400000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220812-en
Max time kernel
41s
Max time network
45s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar
Network
Files
memory/1992-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp
memory/1992-64-0x00000000022B0000-0x00000000052B0000-memory.dmp
memory/1992-65-0x00000000022B0000-0x00000000052B0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20221111-en
Max time kernel
90s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3684 wrote to memory of 4828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3684 wrote to memory of 4828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3684 wrote to memory of 4828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4828 -ip 4828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 40.79.189.58:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp |
Files
memory/4828-132-0x0000000000000000-mapping.dmp
memory/4828-133-0x0000000002260000-0x00000000028A4000-memory.dmp
memory/4828-135-0x0000000002260000-0x00000000028A4000-memory.dmp
memory/4828-136-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4828-138-0x0000000061940000-0x0000000061EB5000-memory.dmp
memory/4828-139-0x0000000002260000-0x00000000028A4000-memory.dmp
memory/4828-140-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220901-en
Max time kernel
46s
Max time network
51s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
Network
Files
memory/1776-54-0x0000000000000000-mapping.dmp
memory/1776-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
memory/1776-56-0x0000000002210000-0x0000000002854000-memory.dmp
memory/1776-58-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/1776-59-0x0000000061940000-0x0000000061EB5000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220901-en
Max time kernel
43s
Max time network
49s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 1748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
Network
Files
memory/1748-54-0x0000000000000000-mapping.dmp
memory/1748-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3624 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3624 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3624 wrote to memory of 1864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp |
Files
memory/1864-132-0x0000000000000000-mapping.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220812-en
Max time kernel
41s
Max time network
45s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1780 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
Network
Files
memory/2028-54-0x0000000000000000-mapping.dmp
memory/2028-55-0x00000000762F1000-0x00000000762F3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220901-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4644 wrote to memory of 4648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4644 wrote to memory of 4648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4644 wrote to memory of 4648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/4648-135-0x0000000000000000-mapping.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20221111-en
Max time kernel
59s
Max time network
94s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1168 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1168 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1168 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/3004-132-0x0000000000000000-mapping.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20221111-en
Max time kernel
125s
Max time network
129s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/4616-134-0x0000000002E40000-0x0000000003E40000-memory.dmp
memory/4616-142-0x0000000002E40000-0x0000000003E40000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
Network
Files
memory/1652-54-0x0000000074C91000-0x0000000074C93000-memory.dmp
memory/1652-55-0x0000000000330000-0x0000000000348000-memory.dmp
memory/1652-56-0x0000000000DE0000-0x0000000001424000-memory.dmp
memory/1652-58-0x0000000070940000-0x000000007095C000-memory.dmp
memory/1652-59-0x0000000061740000-0x0000000061771000-memory.dmp
memory/1652-60-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/1652-61-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/1652-62-0x0000000061940000-0x0000000061EB5000-memory.dmp
memory/1652-63-0x0000000070940000-0x000000007095C000-memory.dmp
memory/1652-65-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/1652-64-0x0000000061740000-0x0000000061771000-memory.dmp
memory/1652-66-0x0000000063400000-0x0000000063415000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.189.173.2:443 | tcp |
Files
memory/4204-132-0x0000000000000000-mapping.dmp
memory/4204-133-0x0000000002EB0000-0x0000000003425000-memory.dmp
memory/4204-135-0x0000000002EB0000-0x0000000003425000-memory.dmp
memory/4204-136-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4204-137-0x0000000002EB0000-0x0000000003425000-memory.dmp
memory/4204-138-0x0000000061DC0000-0x0000000062404000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20221111-en
Max time kernel
95s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| N/A | 13.78.111.198:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1988-132-0x0000000000000000-mapping.dmp
memory/1988-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220812-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 13.69.109.130:443 | tcp |
Files
memory/4324-141-0x0000000002410000-0x0000000003410000-memory.dmp
memory/4324-142-0x0000000002410000-0x0000000003410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win10v2004-20220901-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jre1.8.0_351\installer.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIE8A9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE04A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180351F0} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58c33b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58c33b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID8C7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE6C3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58c33e.msi | C:\Windows\system32\msiexec.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\PackageCode = "97BA944EF7A3CCC4488541CAD6E00626" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\PackageName = "jre1.8.0_35164.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F\jrecore | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_351\\\\bin\\javaws.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\ProgramData\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.481424582\1068854234" -parentBuildID 20200403170909 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 1 -prefMapSize 219940 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1816 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.1862060731\141440575" -childID 1 -isForBrowser -prefsHandle 2492 -prefMapHandle 2420 -prefsLen 112 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2548 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.13.352290668\1301072536" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 6894 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3556 tab
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"
C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 2B64827738D1A9249EE11EE6FAA2B2CC
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x35c
C:\Program Files\Java\jre1.8.0_351\installer.exe
"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | files.multimc.org | udp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 127.0.0.1:49795 | tcp | |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | search.services.mozilla.com | udp |
| N/A | 127.0.0.1:49798 | tcp | |
| N/A | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 34.160.46.54:443 | search.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| N/A | 52.11.129.249:443 | shavar.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | push.services.mozilla.com | udp |
| N/A | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 54.187.102.159:443 | push.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| N/A | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| N/A | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| N/A | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | snippets.cdn.mozilla.net | udp |
| N/A | 65.9.86.24:443 | snippets.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 65.9.86.24:443 | d228z91au11ukj.cloudfront.net | tcp |
| N/A | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| N/A | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| N/A | 88.221.25.176:80 | a1887.dscq.akamai.net | tcp |
| N/A | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | bdeeb3d3f2ce8abffd84fc3a380fc37c.clo.footprintdns.com | udp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 8.8.8.8:53 | www.wikipedia.org | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 20.108.172.194:443 | bdeeb3d3f2ce8abffd84fc3a380fc37c.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | www.reddit.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | dual-s-ring.msedge.net | udp |
| N/A | 8.8.8.8:53 | java.com | udp |
| N/A | 84.53.185.139:80 | java.com | tcp |
| N/A | 8.8.8.8:53 | java.com | udp |
| N/A | 8.8.8.8:53 | java.com | udp |
| N/A | 8.8.8.8:53 | www.java.com | udp |
| N/A | 84.53.185.179:80 | www.java.com | tcp |
| N/A | 8.8.8.8:53 | e91569.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e91569.dscx.akamaiedge.net | udp |
| N/A | 84.53.185.179:443 | e91569.dscx.akamaiedge.net | tcp |
| N/A | 8.8.8.8:53 | static.ocecdn.oraclecloud.com | udp |
| N/A | 69.192.66.17:443 | static.ocecdn.oraclecloud.com | tcp |
| N/A | 8.8.8.8:53 | e11445.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e11445.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | s.go-mpulse.net | udp |
| N/A | 23.222.18.199:443 | s.go-mpulse.net | tcp |
| N/A | 8.8.8.8:53 | e4518.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | www.oracle.com | udp |
| N/A | 95.101.125.213:443 | www.oracle.com | tcp |
| N/A | 95.101.125.213:443 | www.oracle.com | tcp |
| N/A | 8.8.8.8:53 | e2581.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e2581.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | c.oracleinfinity.io | udp |
| N/A | 69.192.64.212:443 | c.oracleinfinity.io | tcp |
| N/A | 8.8.8.8:53 | e11123.x.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e11123.x.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | c.go-mpulse.net | udp |
| N/A | 104.73.135.233:443 | c.go-mpulse.net | tcp |
| N/A | 8.8.8.8:53 | e4518.dscapi7.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscapi7.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | consent.trustarc.com | udp |
| N/A | 18.65.39.5:443 | consent.trustarc.com | tcp |
| N/A | 8.8.8.8:53 | consent.trustarc.com | udp |
| N/A | 8.8.8.8:53 | consent.trustarc.com | udp |
| N/A | 8.8.8.8:53 | dc.oracleinfinity.io | udp |
| N/A | 138.1.45.89:443 | dc.oracleinfinity.io | tcp |
| N/A | 8.8.8.8:53 | dc.oracleinfinity.io.akadns.net | udp |
| N/A | 8.8.8.8:53 | dc.oracleinfinity.io.akadns.net | udp |
| N/A | 127.0.0.1:49805 | tcp | |
| N/A | 8.8.8.8:53 | oracle.112.2o7.net | udp |
| N/A | 15.236.176.210:443 | oracle.112.2o7.net | tcp |
| N/A | 8.8.8.8:53 | oracle.112.2o7.net | udp |
| N/A | 8.8.8.8:53 | oracle.112.2o7.net | udp |
| N/A | 138.1.45.89:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 138.1.45.89:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 138.1.45.89:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 138.1.45.89:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 8.8.8.8:53 | javadl.oracle.com | udp |
| N/A | 69.192.71.29:443 | javadl.oracle.com | tcp |
| N/A | 8.8.8.8:53 | e13073.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e13073.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | sdlc-esd.oracle.com | udp |
| N/A | 104.85.4.85:443 | sdlc-esd.oracle.com | tcp |
| N/A | 8.8.8.8:53 | e2875.dscd.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e2875.dscd.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | javadl-esd-secure.oracle.com | udp |
| N/A | 23.222.50.60:443 | javadl-esd-secure.oracle.com | tcp |
Files
memory/5072-132-0x00000000013F0000-0x0000000001965000-memory.dmp
memory/5072-134-0x0000000000C81000-0x0000000000C83000-memory.dmp
memory/5072-136-0x0000000070940000-0x000000007095C000-memory.dmp
memory/5072-135-0x00000000013F0000-0x0000000001965000-memory.dmp
memory/5072-137-0x0000000061740000-0x0000000061771000-memory.dmp
memory/5072-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/5072-139-0x0000000000400000-0x00000000009FB000-memory.dmp
memory/5072-140-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/5072-143-0x0000000061740000-0x0000000061771000-memory.dmp
memory/5072-142-0x0000000070940000-0x000000007095C000-memory.dmp
memory/5072-144-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/5072-145-0x0000000063400000-0x0000000063415000-memory.dmp
memory/5072-141-0x00000000013F0000-0x0000000001965000-memory.dmp
memory/5072-146-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/5072-147-0x0000000000400000-0x00000000009FB000-memory.dmp
memory/5072-148-0x00000000053F0000-0x0000000005602000-memory.dmp
memory/5072-150-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/5072-151-0x00000000013F0000-0x0000000001965000-memory.dmp
memory/5072-153-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/5072-152-0x0000000070940000-0x000000007095C000-memory.dmp
memory/3848-154-0x0000000000000000-mapping.dmp
memory/668-155-0x0000000000000000-mapping.dmp
memory/5108-156-0x0000000000000000-mapping.dmp
memory/5072-158-0x0000000005BA0000-0x0000000005BB1000-memory.dmp
memory/5108-174-0x00000000026A0000-0x00000000036A0000-memory.dmp
memory/5108-175-0x00000000026A0000-0x00000000036A0000-memory.dmp
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
memory/3688-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\Local\Temp\jds240671250.tmp\jre-8u351-windows-x64.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | c6719d819e76b65fc830638cad989495 |
| SHA1 | b7af70473c4a16229c606bfdec00f3f911f97baa |
| SHA256 | 19438ee9d7338c878b0d03d60aeff8f07176491f93316dd58d4fc173d24d0722 |
| SHA512 | 2c2003113aa26c3bceeb0d0a99052ae72e8fad217fbd8248563e25fff5b0cb3d845da0144de3cc25a74e296bd4e486383b76348f4ed78ce8671ca5445189a902 |
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
memory/1996-184-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSID8C7.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSID8C7.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | da8ecc08eb7fbf221569009f53a4b1c2 |
| SHA1 | 70f358017e691d15b41bccd892cf438ec096e359 |
| SHA256 | 7de8f286eaaefbab6f46038508b432da5b4da5416c642200711a9557e9d49ec1 |
| SHA512 | d2e8d21bf1503ba033d43d42e96e410327d4416c57718890be12911832fb455fd88ed6b924d06fba0f1930d1ebf4425cb3f115074a29b13a604b5dfe933c7b2f |
C:\Windows\Installer\MSIE04A.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIE04A.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIE8A9.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIE8A9.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Program Files\Java\jre1.8.0_351\installer.exe
| MD5 | 9d00765d8cfbf29a67df737d72235d42 |
| SHA1 | be2b18518ab9637b591cc5183907c838dfa8bbe1 |
| SHA256 | 751fdf82b0f79dc638396012b0586b47b4653ac3d8eddc82d406ad9ce23717c4 |
| SHA512 | ce58d644af56c0ce4d4576352f210bf0f8d1664fe1ca2d601107b0d88822d4e814f7db7dc9cbdbc5373421a4a99fef2e94b3faeff405cf9181d67e70e797e674 |
C:\Program Files\Java\jre1.8.0_351\installer.exe
| MD5 | 15932bc1024e21814ddc50ec5933eb63 |
| SHA1 | ba32b13da021c1e1915965db944801ee35e69731 |
| SHA256 | 6039c13d54c9ea650b02f5ccda851af15a8d3f1ee57b211bf060b9768bf08326 |
| SHA512 | cd44a5389d6e837b857ce5cd0915fde8926270cd6ed0628c11d1ca530174e559a1feb90250221ba8415cc0d59e9938d67fafed2790cb5accdf0d8548b55bdfa8 |
memory/1576-192-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 890e0f2a76f3e1ed4881423907b2e441 |
| SHA1 | 93421b2613dd0fc843d5ec3228e97e3e21d78146 |
| SHA256 | f7653787dce01dcf91c25cd4a0e61029f2183f0cd3e6b57989c2b0a984cd9721 |
| SHA512 | 49fc61cae65d94beac7a205ec44cab120f075630011c77e2b8a46331a7a398ef97b57acf83d94743f8328d6b70f419bd8f7b3521d355b144cb145854132f4494 |
C:\Windows\Installer\e58c33e.msi
| MD5 | 9b6ae323688ef74d84fb0cc1733049f2 |
| SHA1 | c97fb8b93875d4cee5fc80657801f6980b2961b7 |
| SHA256 | 83f24df73799096068af328fdbf8bd5bf78e753dbbf4d84b0ad60599bd1f7f88 |
| SHA512 | 19bb123246164277ea9519876549af8d2e1a574b0646a459f32382f9ce199f765858878171bf4a7fc38e6de3d7716e5094ccc9382274e0852e50a341662741f6 |
C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
memory/688-197-0x0000000000000000-mapping.dmp
C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\baseimagefam8
| MD5 | 2ef7f4d7011244fa056be79ad8f5f221 |
| SHA1 | c04a0f01dcaaf245f6f7e2b05594dabb448d9cb1 |
| SHA256 | 7c3ac9e38fd3cb809f77a7a2ea6fa854add633e0c5a45ca2b15f2bfe0eee9778 |
| SHA512 | 7518cc1ca1e6461d7bf8d9854f200ac5cfd9c0ef645b6db7c1f4d83370d88f9eaff3c6270b63dc3c7598439b01decec34005b47154c367fd851bdc921498ac9e |
C:\ProgramData\Oracle\Java\installcache_x64\240711312.tmp\diff
| MD5 | b0aeed985cb463f871ebbd8a0611f31c |
| SHA1 | 305d4d5ec09ab0a6e94d561e3b2f583d043199ae |
| SHA256 | 840a28fa08732bff67c0f992a338a16db218cd546881c77486c07bdc9ffa7650 |
| SHA512 | f2268c5bc01832942f5f710ddcf742a363f1b83a3946ee9d8acd0f6dde7d496767bfd5c7fd4d13ab0b089b10604e81695deb8d62499e202b488ea8080ba828ef |
Analysis: behavioral25
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 1324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
Network
Files
memory/1324-54-0x0000000000000000-mapping.dmp
memory/1324-55-0x0000000075F51000-0x0000000075F53000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-01-02 22:32
Reported
2023-01-02 22:36
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
Network
Files
memory/972-54-0x0000000000000000-mapping.dmp
memory/972-55-0x0000000075D01000-0x0000000075D03000-memory.dmp
memory/972-56-0x0000000001FE0000-0x0000000002555000-memory.dmp
memory/972-58-0x0000000068880000-0x0000000068DAF000-memory.dmp