Malware Analysis Report

2025-01-02 11:57

Sample ID 230105-1566lsha91
Target mmc-stable-win32.zip
SHA256 2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e

Threat Level: Likely benign

The file mmc-stable-win32.zip was found to be: Likely benign.

Malicious Activity Summary


Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-05 22:15

Signatures

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Network

N/A

Files

memory/1900-54-0x0000000000000000-mapping.dmp

memory/1900-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

72s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 3916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4292 wrote to memory of 3916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4292 wrote to memory of 3916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Network

Country Destination Domain Proto
N/A 8.253.208.121:80 tcp
N/A 8.238.20.126:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/3916-132-0x0000000000000000-mapping.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220901-en

Max time kernel

46s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Network

N/A

Files

memory/956-54-0x0000000000000000-mapping.dmp

memory/956-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220812-en

Max time kernel

93s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 173.223.113.131:80 www.microsoft.com tcp
N/A 8.238.111.126:80 tcp
N/A 8.238.111.126:80 tcp

Files

memory/4928-132-0x0000000000000000-mapping.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\ProgramData\Oracle\Java\javapath\javaw.exe

javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f4 0x308

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 files.multimc.org udp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.189.173.10:443 tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 multimc.org udp
N/A 172.67.147.103:443 multimc.org tcp
N/A 172.67.147.103:80 multimc.org tcp
N/A 172.67.147.103:443 multimc.org tcp
N/A 8.8.8.8:53 meta.multimc.org udp
N/A 172.67.147.103:443 meta.multimc.org tcp
N/A 8.8.8.8:53 download.nodecdn.net udp
N/A 104.22.69.118:443 download.nodecdn.net tcp
N/A 104.22.69.118:443 download.nodecdn.net tcp
N/A 104.22.69.118:443 download.nodecdn.net tcp
N/A 104.22.69.118:443 download.nodecdn.net tcp
N/A 104.22.69.118:443 download.nodecdn.net tcp
N/A 104.22.69.118:443 download.nodecdn.net tcp
N/A 8.8.8.8:53 api.modrinth.com udp
N/A 104.18.23.35:443 api.modrinth.com tcp
N/A 8.8.8.8:53 cdn.modrinth.com udp
N/A 104.18.23.35:443 cdn.modrinth.com tcp
N/A 104.18.23.35:443 cdn.modrinth.com tcp
N/A 104.18.23.35:443 cdn.modrinth.com tcp
N/A 104.18.23.35:443 cdn.modrinth.com tcp
N/A 104.18.23.35:443 cdn.modrinth.com tcp
N/A 104.18.23.35:443 cdn.modrinth.com tcp
N/A 8.8.8.8:53 cdn-raw.modrinth.com udp
N/A 104.18.23.35:443 cdn-raw.modrinth.com tcp
N/A 104.18.23.35:443 cdn-raw.modrinth.com tcp
N/A 104.18.23.35:443 cdn-raw.modrinth.com tcp
N/A 104.18.23.35:443 cdn-raw.modrinth.com tcp
N/A 104.18.23.35:443 cdn-raw.modrinth.com tcp
N/A 104.18.23.35:443 cdn-raw.modrinth.com tcp

Files

memory/4800-132-0x00000000001C1000-0x00000000001C3000-memory.dmp

memory/4800-133-0x00000000013D0000-0x0000000001945000-memory.dmp

memory/4800-135-0x00000000013D0000-0x0000000001945000-memory.dmp

memory/4800-137-0x0000000061740000-0x0000000061771000-memory.dmp

memory/4800-136-0x0000000070940000-0x000000007095C000-memory.dmp

memory/4800-139-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4800-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/4800-140-0x0000000000400000-0x00000000009FB000-memory.dmp

memory/4800-141-0x00000000013D0000-0x0000000001945000-memory.dmp

memory/4800-142-0x0000000061740000-0x0000000061771000-memory.dmp

memory/4800-143-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/4800-144-0x0000000063400000-0x0000000063415000-memory.dmp

memory/4800-145-0x0000000000400000-0x00000000009FB000-memory.dmp

memory/4800-146-0x0000000070940000-0x000000007095C000-memory.dmp

memory/4800-147-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/4800-148-0x00000000053F0000-0x0000000005602000-memory.dmp

memory/4800-150-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4800-151-0x00000000013D0000-0x0000000001945000-memory.dmp

memory/4800-152-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/920-153-0x0000000000000000-mapping.dmp

memory/5040-154-0x0000000000000000-mapping.dmp

memory/4544-155-0x0000000000000000-mapping.dmp

memory/4800-156-0x0000000006870000-0x0000000006881000-memory.dmp

memory/920-174-0x00000000029F0000-0x00000000039F0000-memory.dmp

memory/920-175-0x00000000029F0000-0x00000000039F0000-memory.dmp

memory/4800-176-0x0000000000170000-0x0000000000180000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

65s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 4316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 4316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 4316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4316 -ip 4316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 676

Network

Country Destination Domain Proto
N/A 20.42.65.84:443 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp

Files

memory/4316-132-0x0000000000000000-mapping.dmp

memory/4316-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

30s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 264

Network

N/A

Files

memory/1460-54-0x0000000000000000-mapping.dmp

memory/1460-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

memory/736-56-0x0000000000000000-mapping.dmp

memory/1460-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/1460-58-0x0000000061940000-0x0000000061EB5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Network

N/A

Files

memory/2044-54-0x0000000075201000-0x0000000075203000-memory.dmp

memory/2044-55-0x0000000000330000-0x0000000000348000-memory.dmp

memory/2044-56-0x0000000000D20000-0x0000000001364000-memory.dmp

memory/2044-58-0x0000000070940000-0x000000007095C000-memory.dmp

memory/2044-59-0x0000000061740000-0x0000000061771000-memory.dmp

memory/2044-60-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

memory/2044-61-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/2044-62-0x0000000070940000-0x000000007095C000-memory.dmp

memory/2044-64-0x0000000061940000-0x0000000061EB5000-memory.dmp

memory/2044-63-0x0000000061740000-0x0000000061771000-memory.dmp

memory/2044-66-0x0000000063400000-0x0000000063415000-memory.dmp

memory/2044-65-0x000000006C8C0000-0x000000006C8FF000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 4568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3612 wrote to memory of 4568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3612 wrote to memory of 4568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 684

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 13.69.109.130:443 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp

Files

memory/4568-132-0x0000000000000000-mapping.dmp

memory/4568-133-0x0000000002520000-0x0000000002A95000-memory.dmp

memory/4568-135-0x0000000002520000-0x0000000002A95000-memory.dmp

memory/4568-136-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/4568-137-0x0000000002520000-0x0000000002A95000-memory.dmp

memory/4568-138-0x0000000061DC0000-0x0000000062404000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

64s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 20.189.173.11:443 tcp
N/A 104.80.225.205:443 tcp

Files

memory/2480-132-0x0000000000000000-mapping.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 1496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Network

N/A

Files

memory/1496-54-0x0000000000000000-mapping.dmp

memory/1496-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

27s

Max time network

30s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-win32.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-win32.zip

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 2708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 2708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 2708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2708 -ip 2708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 684

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 2.18.109.224:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp

Files

memory/2708-132-0x0000000000000000-mapping.dmp

memory/2708-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/2708-134-0x0000000061940000-0x0000000061EB5000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

90s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 52.168.117.170:443 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp

Files

memory/2040-132-0x0000000000000000-mapping.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

26s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 216.58.214.14:443 tcp
N/A 8.8.8.8:443 tcp
N/A 8.8.4.4:443 tcp

Files

memory/972-54-0x0000000000000000-mapping.dmp

memory/972-55-0x0000000075701000-0x0000000075703000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 276

Network

N/A

Files

memory/1940-54-0x0000000000000000-mapping.dmp

memory/1940-55-0x0000000075B41000-0x0000000075B43000-memory.dmp

memory/1488-56-0x0000000000000000-mapping.dmp

memory/1940-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Network

N/A

Files

memory/880-54-0x0000000000000000-mapping.dmp

memory/880-55-0x00000000757C1000-0x00000000757C3000-memory.dmp

memory/880-56-0x0000000001E80000-0x00000000024C4000-memory.dmp

memory/880-58-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/880-59-0x0000000061940000-0x0000000061EB5000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

43s

Max time network

47s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 264

Network

N/A

Files

memory/976-54-0x0000000000000000-mapping.dmp

memory/976-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

memory/932-56-0x0000000000000000-mapping.dmp

memory/976-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

91s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4836 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4836 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 676

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 40.79.189.59:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/5040-132-0x0000000000000000-mapping.dmp

memory/5040-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Network

N/A

Files

memory/548-54-0x0000000000000000-mapping.dmp

memory/548-55-0x0000000076171000-0x0000000076173000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Network

N/A

Files

memory/1188-54-0x0000000000000000-mapping.dmp

memory/1188-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220812-en

Max time kernel

126s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 676

Network

Country Destination Domain Proto
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 8.253.208.120:80 tcp

Files

memory/1816-132-0x0000000000000000-mapping.dmp

memory/1816-133-0x00000000025D0000-0x0000000002B45000-memory.dmp

memory/1816-135-0x00000000025D0000-0x0000000002B45000-memory.dmp

memory/1816-136-0x0000000068880000-0x0000000068DAF000-memory.dmp

memory/1816-137-0x00000000025D0000-0x0000000002B45000-memory.dmp

memory/1816-138-0x0000000061DC0000-0x0000000062404000-memory.dmp

memory/1816-139-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

141s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 1320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3196 wrote to memory of 1320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3196 wrote to memory of 1320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.65.89:443 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/1320-132-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

138s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-win32.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-win32.zip

Network

Country Destination Domain Proto
N/A 8.238.110.126:80 tcp
N/A 13.89.179.10:443 tcp
N/A 8.238.110.126:80 tcp
N/A 8.238.110.126:80 tcp
N/A 8.238.110.126:80 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20221111-en

Max time kernel

90s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4308 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4308 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2988 -ip 2988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 716

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 40.79.189.58:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.238.21.126:80 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/2988-132-0x0000000000000000-mapping.dmp

memory/2988-133-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220812-en

Max time kernel

116s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Network

Country Destination Domain Proto
N/A 95.101.78.106:80 tcp
N/A 93.184.220.29:80 tcp
N/A 20.44.10.122:443 tcp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp

Files

memory/2240-136-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.65.84:443 tcp
N/A 8.253.208.113:80 tcp
N/A 8.253.208.113:80 tcp

Files

memory/1944-132-0x0000000000000000-mapping.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

30s

Max time network

34s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Network

N/A

Files

memory/1400-54-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp

memory/1400-62-0x0000000002180000-0x0000000005180000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20221111-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1692 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Network

N/A

Files

memory/2004-54-0x0000000000000000-mapping.dmp

memory/2004-55-0x0000000076651000-0x0000000076653000-memory.dmp

memory/2004-56-0x0000000002140000-0x00000000026B5000-memory.dmp

memory/2004-58-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220901-en

Max time kernel

43s

Max time network

49s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 264

Network

N/A

Files

memory/856-54-0x0000000000000000-mapping.dmp

memory/856-55-0x0000000075711000-0x0000000075713000-memory.dmp

memory/1688-56-0x0000000000000000-mapping.dmp

memory/856-57-0x0000000068880000-0x0000000068DAF000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win7-20220812-en

Max time kernel

41s

Max time network

45s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1664 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Network

N/A

Files

memory/1928-54-0x0000000000000000-mapping.dmp

memory/1928-55-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-01-05 22:15

Reported

2023-01-05 22:19

Platform

win10v2004-20220901-en

Max time kernel

68s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4296 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4296 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Network

Country Destination Domain Proto
N/A 20.42.73.24:443 tcp
N/A 2.18.109.224:443 tcp
N/A 87.248.202.1:80 tcp
N/A 88.221.25.155:80 tcp

Files

memory/1716-132-0x0000000000000000-mapping.dmp