Analysis Overview
SHA256
2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
Threat Level: Likely benign
The file mmc-stable-win32.zip was found to be: Likely benign.
Malicious Activity Summary
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-01-05 22:15
Signatures
Analysis: behavioral19
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
Network
Files
memory/1900-54-0x0000000000000000-mapping.dmp
memory/1900-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
72s
Max time network
130s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4292 wrote to memory of 3916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4292 wrote to memory of 3916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4292 wrote to memory of 3916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.253.208.121:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/3916-132-0x0000000000000000-mapping.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220901-en
Max time kernel
46s
Max time network
52s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
Network
Files
memory/956-54-0x0000000000000000-mapping.dmp
memory/956-55-0x00000000757A1000-0x00000000757A3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220812-en
Max time kernel
93s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4188 wrote to memory of 4928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4188 wrote to memory of 4928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4188 wrote to memory of 4928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 173.223.113.131:80 | www.microsoft.com | tcp |
| N/A | 8.238.111.126:80 | tcp | |
| N/A | 8.238.111.126:80 | tcp |
Files
memory/4928-132-0x0000000000000000-mapping.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4800 wrote to memory of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 4800 wrote to memory of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 4800 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe |
| PID 4800 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe |
| PID 4800 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\ProgramData\Oracle\Java\javapath\javaw.exe |
| PID 4800 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | C:\ProgramData\Oracle\Java\javapath\javaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\ProgramData\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x308
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | files.multimc.org | udp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.189.173.10:443 | tcp | |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 8.8.8.8:53 | multimc.org | udp |
| N/A | 172.67.147.103:443 | multimc.org | tcp |
| N/A | 172.67.147.103:80 | multimc.org | tcp |
| N/A | 172.67.147.103:443 | multimc.org | tcp |
| N/A | 8.8.8.8:53 | meta.multimc.org | udp |
| N/A | 172.67.147.103:443 | meta.multimc.org | tcp |
| N/A | 8.8.8.8:53 | download.nodecdn.net | udp |
| N/A | 104.22.69.118:443 | download.nodecdn.net | tcp |
| N/A | 104.22.69.118:443 | download.nodecdn.net | tcp |
| N/A | 104.22.69.118:443 | download.nodecdn.net | tcp |
| N/A | 104.22.69.118:443 | download.nodecdn.net | tcp |
| N/A | 104.22.69.118:443 | download.nodecdn.net | tcp |
| N/A | 104.22.69.118:443 | download.nodecdn.net | tcp |
| N/A | 8.8.8.8:53 | api.modrinth.com | udp |
| N/A | 104.18.23.35:443 | api.modrinth.com | tcp |
| N/A | 8.8.8.8:53 | cdn.modrinth.com | udp |
| N/A | 104.18.23.35:443 | cdn.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn.modrinth.com | tcp |
| N/A | 8.8.8.8:53 | cdn-raw.modrinth.com | udp |
| N/A | 104.18.23.35:443 | cdn-raw.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn-raw.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn-raw.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn-raw.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn-raw.modrinth.com | tcp |
| N/A | 104.18.23.35:443 | cdn-raw.modrinth.com | tcp |
Files
memory/4800-132-0x00000000001C1000-0x00000000001C3000-memory.dmp
memory/4800-133-0x00000000013D0000-0x0000000001945000-memory.dmp
memory/4800-135-0x00000000013D0000-0x0000000001945000-memory.dmp
memory/4800-137-0x0000000061740000-0x0000000061771000-memory.dmp
memory/4800-136-0x0000000070940000-0x000000007095C000-memory.dmp
memory/4800-139-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4800-138-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/4800-140-0x0000000000400000-0x00000000009FB000-memory.dmp
memory/4800-141-0x00000000013D0000-0x0000000001945000-memory.dmp
memory/4800-142-0x0000000061740000-0x0000000061771000-memory.dmp
memory/4800-143-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/4800-144-0x0000000063400000-0x0000000063415000-memory.dmp
memory/4800-145-0x0000000000400000-0x00000000009FB000-memory.dmp
memory/4800-146-0x0000000070940000-0x000000007095C000-memory.dmp
memory/4800-147-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/4800-148-0x00000000053F0000-0x0000000005602000-memory.dmp
memory/4800-150-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4800-151-0x00000000013D0000-0x0000000001945000-memory.dmp
memory/4800-152-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/920-153-0x0000000000000000-mapping.dmp
memory/5040-154-0x0000000000000000-mapping.dmp
memory/4544-155-0x0000000000000000-mapping.dmp
memory/4800-156-0x0000000006870000-0x0000000006881000-memory.dmp
memory/920-174-0x00000000029F0000-0x00000000039F0000-memory.dmp
memory/920-175-0x00000000029F0000-0x00000000039F0000-memory.dmp
memory/4800-176-0x0000000000170000-0x0000000000180000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
65s
Max time network
131s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4940 wrote to memory of 4316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4940 wrote to memory of 4316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4940 wrote to memory of 4316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4316 -ip 4316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp |
Files
memory/4316-132-0x0000000000000000-mapping.dmp
memory/4316-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
30s
Max time network
34s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 264
Network
Files
memory/1460-54-0x0000000000000000-mapping.dmp
memory/1460-55-0x0000000075D01000-0x0000000075D03000-memory.dmp
memory/736-56-0x0000000000000000-mapping.dmp
memory/1460-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/1460-58-0x0000000061940000-0x0000000061EB5000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
Network
Files
memory/2044-54-0x0000000075201000-0x0000000075203000-memory.dmp
memory/2044-55-0x0000000000330000-0x0000000000348000-memory.dmp
memory/2044-56-0x0000000000D20000-0x0000000001364000-memory.dmp
memory/2044-58-0x0000000070940000-0x000000007095C000-memory.dmp
memory/2044-59-0x0000000061740000-0x0000000061771000-memory.dmp
memory/2044-60-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
memory/2044-61-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/2044-62-0x0000000070940000-0x000000007095C000-memory.dmp
memory/2044-64-0x0000000061940000-0x0000000061EB5000-memory.dmp
memory/2044-63-0x0000000061740000-0x0000000061771000-memory.dmp
memory/2044-66-0x0000000063400000-0x0000000063415000-memory.dmp
memory/2044-65-0x000000006C8C0000-0x000000006C8FF000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220812-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3612 wrote to memory of 4568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3612 wrote to memory of 4568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3612 wrote to memory of 4568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 684
Network
| Country | Destination | Domain | Proto |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 13.69.109.130:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp |
Files
memory/4568-132-0x0000000000000000-mapping.dmp
memory/4568-133-0x0000000002520000-0x0000000002A95000-memory.dmp
memory/4568-135-0x0000000002520000-0x0000000002A95000-memory.dmp
memory/4568-136-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/4568-137-0x0000000002520000-0x0000000002A95000-memory.dmp
memory/4568-138-0x0000000061DC0000-0x0000000062404000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
64s
Max time network
145s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 2480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5016 wrote to memory of 2480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5016 wrote to memory of 2480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 20.189.173.11:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/2480-132-0x0000000000000000-mapping.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2016 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
Network
Files
memory/1496-54-0x0000000000000000-mapping.dmp
memory/1496-55-0x00000000761F1000-0x00000000761F3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-win32.zip
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5076 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5076 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2708 -ip 2708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 684
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/2708-132-0x0000000000000000-mapping.dmp
memory/2708-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/2708-134-0x0000000061940000-0x0000000061EB5000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
90s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2260 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2260 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2260 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 88.221.25.154:80 | tcp |
Files
memory/2040-132-0x0000000000000000-mapping.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
26s
Max time network
99s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 216.58.214.14:443 | tcp | |
| N/A | 8.8.8.8:443 | tcp | |
| N/A | 8.8.4.4:443 | tcp |
Files
memory/972-54-0x0000000000000000-mapping.dmp
memory/972-55-0x0000000075701000-0x0000000075703000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 276
Network
Files
memory/1940-54-0x0000000000000000-mapping.dmp
memory/1940-55-0x0000000075B41000-0x0000000075B43000-memory.dmp
memory/1488-56-0x0000000000000000-mapping.dmp
memory/1940-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
29s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 960 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
Network
Files
memory/880-54-0x0000000000000000-mapping.dmp
memory/880-55-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/880-56-0x0000000001E80000-0x00000000024C4000-memory.dmp
memory/880-58-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/880-59-0x0000000061940000-0x0000000061EB5000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
43s
Max time network
47s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 264
Network
Files
memory/976-54-0x0000000000000000-mapping.dmp
memory/976-55-0x0000000075A81000-0x0000000075A83000-memory.dmp
memory/932-56-0x0000000000000000-mapping.dmp
memory/976-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
91s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4836 wrote to memory of 5040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4836 wrote to memory of 5040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4836 wrote to memory of 5040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5040 -ip 5040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 40.79.189.59:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/5040-132-0x0000000000000000-mapping.dmp
memory/5040-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
Network
Files
memory/548-54-0x0000000000000000-mapping.dmp
memory/548-55-0x0000000076171000-0x0000000076173000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
29s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 820 wrote to memory of 1188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
Network
Files
memory/1188-54-0x0000000000000000-mapping.dmp
memory/1188-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220812-en
Max time kernel
126s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4996 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4996 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4996 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 676
Network
| Country | Destination | Domain | Proto |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.253.208.120:80 | tcp |
Files
memory/1816-132-0x0000000000000000-mapping.dmp
memory/1816-133-0x00000000025D0000-0x0000000002B45000-memory.dmp
memory/1816-135-0x00000000025D0000-0x0000000002B45000-memory.dmp
memory/1816-136-0x0000000068880000-0x0000000068DAF000-memory.dmp
memory/1816-137-0x00000000025D0000-0x0000000002B45000-memory.dmp
memory/1816-138-0x0000000061DC0000-0x0000000062404000-memory.dmp
memory/1816-139-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3196 wrote to memory of 1320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3196 wrote to memory of 1320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3196 wrote to memory of 1320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1320-132-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-stable-win32.zip
Network
| Country | Destination | Domain | Proto |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 8.238.110.126:80 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20221111-en
Max time kernel
90s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4308 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4308 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4308 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2988 -ip 2988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 716
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 40.79.189.58:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/2988-132-0x0000000000000000-mapping.dmp
memory/2988-133-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220812-en
Max time kernel
116s
Max time network
149s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar
Network
| Country | Destination | Domain | Proto |
| N/A | 95.101.78.106:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.44.10.122:443 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp |
Files
memory/2240-136-0x0000000002CF0000-0x0000000003CF0000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220812-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 1944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp |
Files
memory/1944-132-0x0000000000000000-mapping.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
30s
Max time network
34s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar
Network
Files
memory/1400-54-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp
memory/1400-62-0x0000000002180000-0x0000000005180000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20221111-en
Max time kernel
29s
Max time network
33s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1692 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
Network
Files
memory/2004-54-0x0000000000000000-mapping.dmp
memory/2004-55-0x0000000076651000-0x0000000076653000-memory.dmp
memory/2004-56-0x0000000002140000-0x00000000026B5000-memory.dmp
memory/2004-58-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220901-en
Max time kernel
43s
Max time network
49s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 264
Network
Files
memory/856-54-0x0000000000000000-mapping.dmp
memory/856-55-0x0000000075711000-0x0000000075713000-memory.dmp
memory/1688-56-0x0000000000000000-mapping.dmp
memory/856-57-0x0000000068880000-0x0000000068DAF000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win7-20220812-en
Max time kernel
41s
Max time network
45s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1664 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
Network
Files
memory/1928-54-0x0000000000000000-mapping.dmp
memory/1928-55-0x0000000074AD1000-0x0000000074AD3000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-01-05 22:15
Reported
2023-01-05 22:19
Platform
win10v2004-20220901-en
Max time kernel
68s
Max time network
130s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4296 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4296 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4296 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.24:443 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 88.221.25.155:80 | tcp |
Files
memory/1716-132-0x0000000000000000-mapping.dmp