Analysis Overview
SHA256
198c817204d7e72e30f7c7778d88c24898e653e54a08bc9ee9e9ecbbe8e79732
Threat Level: Known bad
The file MultiMC.zip was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Downloads MZ/PE file
Executes dropped EXE
Program crash
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-09 01:58
Signatures
Analysis: behavioral19
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
49s
Max time network
70s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/2628-122-0x0000000003490000-0x0000000004490000-memory.dmp
memory/2628-130-0x0000000003490000-0x0000000004490000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
50s
Max time network
73s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libMultiMC_logic.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libMultiMC_logic.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 712
Network
Files
memory/2668-120-0x0000000000000000-mapping.dmp
memory/2668-122-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-124-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-126-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-128-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-130-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-132-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-134-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-133-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-135-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-137-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-139-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-138-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-136-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-131-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-140-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-141-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-143-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-142-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-129-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-127-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-125-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-123-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-121-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-145-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-144-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-146-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-148-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-150-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-152-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-153-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-154-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-151-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-149-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-147-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-155-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-156-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-158-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-157-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-159-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-160-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-162-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-165-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-167-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-169-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-170-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-172-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-173-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-175-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-174-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-176-0x0000000000B30000-0x0000000001175000-memory.dmp
memory/2668-171-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-178-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-168-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-179-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-166-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-180-0x0000000000B30000-0x0000000001175000-memory.dmp
memory/2668-181-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-182-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-183-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-164-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-163-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-161-0x0000000077560000-0x00000000776EE000-memory.dmp
memory/2668-184-0x0000000063100000-0x000000006314F000-memory.dmp
memory/2668-185-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/2668-186-0x0000000061940000-0x0000000061E60000-memory.dmp
memory/2668-187-0x0000000000B30000-0x0000000001175000-memory.dmp
memory/2668-188-0x0000000068040000-0x0000000068270000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
50s
Max time network
72s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2676 wrote to memory of 2908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2676 wrote to memory of 2908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2676 wrote to memory of 2908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libnbt++.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libnbt++.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 648
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.2:443 | tcp |
Files
memory/2908-120-0x0000000000000000-mapping.dmp
memory/2908-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2908-167-0x0000000063100000-0x000000006314F000-memory.dmp
memory/2908-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
105s
Max time network
114s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1760 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1760 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1760 wrote to memory of 1968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libstdc++-6.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libstdc++-6.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 648
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.73.9:443 | tcp |
Files
memory/1968-120-0x0000000000000000-mapping.dmp
memory/1968-121-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-122-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-123-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-124-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-125-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-126-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-127-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-128-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-129-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-130-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-131-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-132-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-133-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-134-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-136-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-139-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-138-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-141-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-142-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-140-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-137-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-135-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-143-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-144-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-147-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-146-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-148-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-149-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-151-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-150-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-152-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-145-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-154-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-156-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-155-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-153-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-157-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-158-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-159-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-160-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-161-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-162-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-164-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-163-0x0000000077710000-0x000000007789E000-memory.dmp
memory/1968-165-0x0000000077710000-0x000000007789E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
52s
Max time network
82s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2584 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2584 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2584 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 684
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.13:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/2688-117-0x0000000000000000-mapping.dmp
memory/2688-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-132-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-146-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-147-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-150-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-151-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-152-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-153-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-154-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-155-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-158-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-157-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-156-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-160-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-161-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-163-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-162-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-164-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-165-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-166-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/2688-159-0x0000000077A40000-0x0000000077BCE000-memory.dmp
memory/2688-167-0x0000000061940000-0x0000000061E60000-memory.dmp
memory/2688-168-0x0000000077A40000-0x0000000077BCE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
70s
Max time network
92s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 3580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1736 wrote to memory of 3580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1736 wrote to memory of 3580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 708
Network
| Country | Destination | Domain | Proto |
| N/A | 51.11.192.50:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp |
Files
memory/3580-116-0x0000000000000000-mapping.dmp
memory/3580-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp
memory/3580-171-0x0000000068880000-0x0000000068DAE000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2728 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2728 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2728 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\zlib1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\zlib1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 616
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp |
Files
memory/3056-117-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-116-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-118-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-115-0x0000000000000000-mapping.dmp
memory/3056-119-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-120-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-122-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-123-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-125-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-126-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-128-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-130-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-131-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-129-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-134-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-136-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-137-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-139-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-140-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-141-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-138-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-135-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-133-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-132-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-127-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-124-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-121-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-142-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-143-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-144-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-145-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-146-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-147-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-149-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-151-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-150-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-152-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-154-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-155-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-157-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-158-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-156-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-153-0x0000000077100000-0x000000007728E000-memory.dmp
memory/3056-148-0x0000000077100000-0x000000007728E000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
107s
Max time network
113s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2588 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2588 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2588 wrote to memory of 2676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjp2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjp2.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 13.69.239.74:443 | tcp |
Files
memory/2676-120-0x0000000000000000-mapping.dmp
memory/2676-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp
memory/2676-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
54s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 684
Network
Files
memory/2816-115-0x0000000000000000-mapping.dmp
memory/2816-116-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-117-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-118-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-119-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-120-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-121-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-122-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-123-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-124-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-125-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-126-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-127-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-128-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-129-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-130-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-131-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-134-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-135-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-136-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-137-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-138-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-133-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-132-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-140-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-142-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-141-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-144-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-143-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-139-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-146-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-147-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-149-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-150-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-148-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-145-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-152-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-151-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-153-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-154-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-156-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-158-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-160-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-161-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-159-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-162-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-157-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-155-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-164-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-163-0x0000000077E00000-0x0000000077F8E000-memory.dmp
memory/2816-165-0x0000000068880000-0x0000000068DAE000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2692 wrote to memory of 2984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2692 wrote to memory of 2984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2692 wrote to memory of 2984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.27:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/2984-120-0x0000000000000000-mapping.dmp
memory/2984-123-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-126-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-127-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-130-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-133-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-134-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-136-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-138-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-140-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-142-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-144-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-145-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-146-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-147-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-148-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-149-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-143-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-150-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-152-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-151-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-153-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-141-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-154-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-156-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-155-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-139-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-157-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-137-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-135-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-132-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-131-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-129-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-128-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-125-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-124-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-122-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-158-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-121-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-159-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-160-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-161-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-162-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-163-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-164-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-165-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-166-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-167-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-168-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-169-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-170-0x0000000077890000-0x0000000077A1E000-memory.dmp
memory/2984-171-0x0000000077890000-0x0000000077A1E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.0.1688250694\855777279" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 1616 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.3.353584372\1578043995" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2016 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 2224 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.13.400974331\74111330" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 3448 tab
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"
C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sourceforge.net | udp |
| N/A | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| N/A | 13.107.237.67:443 | launchermeta.mojang.com | tcp |
| N/A | 104.18.10.128:80 | sourceforge.net | tcp |
| N/A | 8.8.8.8:53 | files.multimc.org | udp |
| N/A | 8.8.8.8:53 | status.mojang.com | udp |
| N/A | 8.8.8.8:53 | www.hackphoenix.com | udp |
| N/A | 8.8.8.8:53 | v.hackphoenix.com | udp |
| N/A | 172.67.147.103:80 | files.multimc.org | tcp |
| N/A | 188.114.97.0:80 | v.hackphoenix.com | tcp |
| N/A | 172.67.167.163:443 | www.hackphoenix.com | tcp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 172.67.147.103:80 | files.multimc.org | tcp |
| N/A | 172.67.147.103:80 | files.multimc.org | tcp |
| N/A | 172.67.147.103:80 | files.multimc.org | tcp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 172.67.147.103:443 | files.multimc.org | tcp |
| N/A | 104.208.16.88:443 | tcp | |
| N/A | 127.0.0.1:49848 | tcp | |
| N/A | 127.0.0.1:49851 | tcp | |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| N/A | 8.8.8.8:53 | search.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| N/A | 52.41.192.45:443 | shavar.services.mozilla.com | tcp |
| N/A | 34.160.46.54:443 | search.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | push.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 52.41.87.179:443 | push.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 72.21.91.29:80 | cs9.wac.phicdn.net | tcp |
| N/A | 8.8.8.8:53 | snippets.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| N/A | 65.9.86.64:443 | snippets.cdn.mozilla.net | tcp |
| N/A | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 2.19.126.223:80 | a1887.dscq.akamai.net | tcp |
| N/A | 127.0.0.1:49863 | tcp | |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 8.8.8.8:53 | www.wikipedia.org | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | www.reddit.com | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| N/A | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| N/A | 8.8.8.8:53 | id.google.com | udp |
| N/A | 216.58.208.99:443 | id.google.com | tcp |
| N/A | 8.8.8.8:53 | id.google.com | udp |
| N/A | 8.8.8.8:53 | id.google.com | udp |
| N/A | 8.8.8.8:53 | i.ytimg.com | udp |
| N/A | 142.250.179.150:443 | i.ytimg.com | tcp |
| N/A | 142.250.179.150:443 | i.ytimg.com | tcp |
| N/A | 142.250.179.150:443 | i.ytimg.com | tcp |
| N/A | 8.8.8.8:53 | i.ytimg.com | udp |
| N/A | 8.8.8.8:53 | i.ytimg.com | udp |
| N/A | 142.250.179.150:443 | i.ytimg.com | tcp |
| N/A | 142.251.36.35:80 | pki-goog.l.google.com | tcp |
| N/A | 8.8.8.8:53 | apis.google.com | udp |
| N/A | 216.58.208.110:443 | apis.google.com | tcp |
| N/A | 8.8.8.8:53 | plus.l.google.com | udp |
| N/A | 8.8.8.8:53 | plus.l.google.com | udp |
| N/A | 8.8.8.8:53 | play.google.com | udp |
| N/A | 142.251.36.14:443 | play.google.com | tcp |
| N/A | 142.251.36.14:443 | play.google.com | tcp |
| N/A | 8.8.8.8:53 | play.google.com | udp |
| N/A | 8.8.8.8:53 | play.google.com | udp |
| N/A | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| N/A | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| N/A | 142.251.36.14:443 | encrypted-tbn0.gstatic.com | tcp |
| N/A | 142.251.36.14:443 | encrypted-tbn0.gstatic.com | tcp |
| N/A | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| N/A | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| N/A | 142.251.36.34:443 | googleads.g.doubleclick.net | tcp |
| N/A | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| N/A | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| N/A | 8.8.8.8:53 | java.com | udp |
| N/A | 95.101.74.137:443 | java.com | tcp |
| N/A | 8.8.8.8:53 | java.com | udp |
| N/A | 8.8.8.8:53 | java.com | udp |
| N/A | 8.8.8.8:53 | www.java.com | udp |
| N/A | 95.101.74.134:443 | www.java.com | tcp |
| N/A | 8.8.8.8:53 | e91569.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e91569.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | static.ocecdn.oraclecloud.com | udp |
| N/A | 104.73.146.31:443 | static.ocecdn.oraclecloud.com | tcp |
| N/A | 8.8.8.8:53 | e11445.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e11445.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | s.go-mpulse.net | udp |
| N/A | 23.222.18.199:443 | s.go-mpulse.net | tcp |
| N/A | 8.8.8.8:53 | e4518.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | consent.trustarc.com | udp |
| N/A | 8.8.8.8:53 | www.oracle.com | udp |
| N/A | 104.73.130.18:443 | www.oracle.com | tcp |
| N/A | 8.8.8.8:53 | e2581.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e2581.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | consent.trustarc.com | udp |
| N/A | 8.8.8.8:53 | consent.trustarc.com | udp |
| N/A | 108.156.60.112:443 | consent.trustarc.com | tcp |
| N/A | 104.73.130.18:443 | e2581.dscx.akamaiedge.net | tcp |
| N/A | 8.8.8.8:53 | c.oracleinfinity.io | udp |
| N/A | 104.73.145.144:443 | c.oracleinfinity.io | tcp |
| N/A | 8.8.8.8:53 | e11123.x.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e11123.x.akamaiedge.net | udp |
| N/A | 108.156.60.112:443 | consent.trustarc.com | tcp |
| N/A | 8.8.8.8:53 | c.go-mpulse.net | udp |
| N/A | 173.223.112.132:443 | c.go-mpulse.net | tcp |
| N/A | 8.8.8.8:53 | e4518.dscapi7.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscapi7.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | dc.oracleinfinity.io | udp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io | tcp |
| N/A | 8.8.8.8:53 | dc.oracleinfinity.io.akadns.net | udp |
| N/A | 8.8.8.8:53 | dc.oracleinfinity.io.akadns.net | udp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 8.8.8.8:53 | oracle.112.2o7.net | udp |
| N/A | 15.236.125.10:443 | oracle.112.2o7.net | tcp |
| N/A | 8.8.8.8:53 | oracle.112.2o7.net | udp |
| N/A | 8.8.8.8:53 | oracle.112.2o7.net | udp |
| N/A | 104.73.145.144:443 | e11123.x.akamaiedge.net | tcp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 8.8.8.8:53 | status.mojang.com | udp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 8.8.8.8:53 | www.java.com | udp |
| N/A | 8.8.8.8:53 | e91569.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e91569.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | static.ocecdn.oraclecloud.com | udp |
| N/A | 8.8.8.8:53 | e11445.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e11445.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | s.go-mpulse.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscx.akamaiedge.net | udp |
| N/A | 173.223.112.132:443 | e4518.dscapi7.akamaiedge.net | tcp |
| N/A | 8.8.8.8:53 | c.go-mpulse.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscapi7.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e4518.dscapi7.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | www.oracle.com | udp |
| N/A | 8.8.8.8:53 | e2581.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e2581.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | c.oracleinfinity.io | udp |
| N/A | 8.8.8.8:53 | e11123.x.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e11123.x.akamaiedge.net | udp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 147.154.233.124:443 | dc.oracleinfinity.io.akadns.net | tcp |
| N/A | 8.8.8.8:53 | javadl.oracle.com | udp |
| N/A | 104.73.148.114:443 | javadl.oracle.com | tcp |
| N/A | 8.8.8.8:53 | e13073.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e13073.dscx.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | sdlc-esd.oracle.com | udp |
| N/A | 2.20.8.83:443 | sdlc-esd.oracle.com | tcp |
| N/A | 8.8.8.8:53 | e2875.dscd.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | e2875.dscd.akamaiedge.net | udp |
| N/A | 8.8.8.8:53 | status.mojang.com | udp |
| N/A | 8.8.8.8:53 | status.mojang.com | udp |
| N/A | 8.8.8.8:53 | javadl-esd-secure.oracle.com | udp |
| N/A | 23.65.205.24:443 | javadl-esd-secure.oracle.com | tcp |
Files
memory/2112-120-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-121-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-122-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-123-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-124-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-125-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-126-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-127-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-128-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-129-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-130-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-131-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-132-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-133-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-134-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-135-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-138-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-140-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-141-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-142-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-144-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-145-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-143-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-139-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-137-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-147-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-148-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-149-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-150-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-151-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-152-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-153-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-154-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-155-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-157-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-159-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-161-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-162-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-164-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-165-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-166-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-163-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-167-0x0000000001180000-0x00000000017C5000-memory.dmp
memory/2112-169-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-160-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-158-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-170-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-156-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-146-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-136-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-171-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-172-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-173-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/2112-175-0x0000000063100000-0x000000006314F000-memory.dmp
memory/2112-174-0x0000000061940000-0x0000000061E60000-memory.dmp
memory/2112-176-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-177-0x0000000001180000-0x00000000017C5000-memory.dmp
memory/2112-178-0x0000000001180000-0x00000000017C5000-memory.dmp
memory/2112-180-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-182-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-181-0x0000000000400000-0x00000000006C2000-memory.dmp
memory/2112-179-0x0000000068040000-0x0000000068270000-memory.dmp
memory/2112-183-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-184-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-185-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-186-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-187-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-189-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/2112-188-0x00000000772B0000-0x000000007743E000-memory.dmp
memory/1604-235-0x0000000000000000-mapping.dmp
memory/4172-237-0x0000000000000000-mapping.dmp
memory/1116-236-0x0000000000000000-mapping.dmp
memory/1604-255-0x00000000027C0000-0x00000000037C0000-memory.dmp
memory/2112-256-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/2112-257-0x0000000061940000-0x0000000061E60000-memory.dmp
memory/2112-258-0x0000000001180000-0x00000000017C5000-memory.dmp
memory/2112-259-0x0000000068040000-0x0000000068270000-memory.dmp
memory/2112-260-0x0000000000400000-0x00000000006C2000-memory.dmp
memory/1604-261-0x00000000027C0000-0x00000000037C0000-memory.dmp
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
memory/640-264-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 05978a920a46b218db8ddbd2491b7916 |
| SHA1 | 1888d4e762b62feb193a8da595f35b8b7ceafc77 |
| SHA256 | 44ca11bf67064507be4d33b47279d06616dff1705608fcea57ea7279267cfb29 |
| SHA512 | a4be4f6dab361155b7d883bd194ca06ca7115214a58e2218a31bac2a8b9e91ff604f5b2fb758326b53dddfe5a010ca49b19441d48248fb276fee5a5a05c030cc |
C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
48s
Max time network
72s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 2844 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2484 wrote to memory of 2844 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2484 wrote to memory of 2844 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 688
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.201.195:443 | tcp | |
| N/A | 67.26.111.254:80 | tcp |
Files
memory/2844-120-0x0000000000000000-mapping.dmp
memory/2844-121-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-122-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-123-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-124-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-125-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-126-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-127-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-128-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-130-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-129-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-131-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-132-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-133-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-134-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-136-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-135-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-137-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-138-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-140-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-139-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-141-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-142-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-143-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-144-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-145-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-146-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-147-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-148-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-149-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-150-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-151-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-152-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-153-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-154-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-155-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-156-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-158-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-157-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-159-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-160-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-162-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-164-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-163-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-161-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-165-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-167-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-168-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-166-0x0000000077D90000-0x0000000077F1E000-memory.dmp
memory/2844-169-0x0000000068880000-0x0000000068DAE000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
48s
Max time network
64s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 3776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 3776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3044 wrote to memory of 3776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qdds.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qdds.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.24:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/3776-117-0x0000000000000000-mapping.dmp
memory/3776-118-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-119-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-120-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-121-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-122-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-123-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-124-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-125-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-126-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-127-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-128-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-129-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-130-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-131-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-132-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-133-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-134-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-135-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-136-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-137-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-139-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-142-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-144-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-145-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-146-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-149-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-151-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-152-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-153-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-150-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-147-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-154-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-155-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-148-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-143-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-140-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-156-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-157-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-158-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-159-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-160-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-161-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-141-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-138-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-163-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-164-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-166-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-165-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-162-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-167-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3776-168-0x0000000077470000-0x00000000775FE000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
53s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2692 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2692 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2692 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/2720-115-0x0000000000000000-mapping.dmp
memory/2720-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp
memory/2720-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar
Network
| Country | Destination | Domain | Proto |
| N/A | 2.16.119.157:443 | tcp | |
| N/A | 20.42.65.90:443 | tcp |
Files
memory/3512-125-0x0000000002DA0000-0x0000000003DA0000-memory.dmp
memory/3512-126-0x0000000002DA0000-0x0000000003DA0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
50s
Max time network
54s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libssl32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libssl32.dll,#1
Network
Files
memory/4584-118-0x0000000000000000-mapping.dmp
memory/4584-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-160-0x0000000004250000-0x000000000438A000-memory.dmp
memory/4584-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4584-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
52s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4944 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4944 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.14:443 | tcp | |
| N/A | 95.101.78.82:80 | tcp |
Files
memory/4656-116-0x0000000000000000-mapping.dmp
memory/4656-117-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-118-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-119-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-120-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-121-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-122-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-123-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-124-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-125-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-126-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-127-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-128-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-129-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-130-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-131-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-132-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-133-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-134-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-135-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-136-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-137-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-138-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-139-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-140-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-141-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-145-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-146-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-148-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-149-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-150-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-147-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-144-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-152-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-151-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-143-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-154-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-155-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-156-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-157-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-153-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-142-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-158-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-159-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-160-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-161-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-163-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-162-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-165-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-166-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-164-0x0000000077520000-0x00000000776AE000-memory.dmp
memory/4656-167-0x0000000077520000-0x00000000776AE000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
53s
Max time network
75s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 13.78.111.198:443 | tcp |
Files
memory/2692-116-0x0000000000000000-mapping.dmp
memory/2692-117-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-118-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-119-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-120-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-121-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-122-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-123-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-124-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-125-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-126-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-127-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-128-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-129-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-130-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-132-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-131-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-133-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-134-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-135-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-136-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-137-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-138-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-139-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-140-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-141-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-142-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-143-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-144-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-145-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-146-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-147-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-148-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-149-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-150-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-151-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-152-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-153-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-154-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-155-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-157-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-156-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-159-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-158-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-160-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-162-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-163-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-161-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-165-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-166-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-164-0x0000000077B40000-0x0000000077CCE000-memory.dmp
memory/2692-167-0x0000000077B40000-0x0000000077CCE000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
98s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3520 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3520 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3520 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.10:443 | tcp |
Files
memory/5024-115-0x0000000000000000-mapping.dmp
memory/5024-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
memory/5024-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
50s
Max time network
148s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1484 wrote to memory of 4744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 4744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1484 wrote to memory of 4744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwebp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwebp.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 52.182.143.210:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/4744-120-0x0000000000000000-mapping.dmp
memory/4744-121-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-123-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-124-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-126-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-128-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-131-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-133-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-135-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-137-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-139-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-140-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-142-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-144-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-143-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-141-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-138-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-136-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-134-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-132-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-146-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-145-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-147-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-130-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-129-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-127-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-125-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-122-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-148-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-150-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-151-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-149-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-152-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-155-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-156-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-154-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-157-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-158-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-153-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-159-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-160-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-161-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-162-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-163-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-164-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-165-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-169-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-170-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-168-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-167-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-166-0x0000000077850000-0x00000000779DE000-memory.dmp
memory/4744-171-0x0000000077850000-0x00000000779DE000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
48s
Max time network
53s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 4892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3716 wrote to memory of 4892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3716 wrote to memory of 4892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libwinpthread-1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libwinpthread-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 52.168.112.66:443 | tcp |
Files
memory/4892-117-0x0000000000000000-mapping.dmp
memory/4892-119-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-121-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-124-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-126-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-128-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-129-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-130-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-132-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-133-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-134-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-136-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-137-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-139-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-141-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-140-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-138-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-135-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-131-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-142-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-143-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-127-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-144-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-125-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-123-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-145-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-146-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-122-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-120-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-118-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-147-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-149-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-151-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-153-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-152-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-155-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-156-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-157-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-158-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-154-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-150-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-148-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-159-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-160-0x0000000077B00000-0x0000000077C8E000-memory.dmp
memory/4892-161-0x0000000077B00000-0x0000000077C8E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
69s
Max time network
92s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 704
Network
| Country | Destination | Domain | Proto |
| N/A | 51.11.192.50:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp |
Files
memory/3500-116-0x0000000000000000-mapping.dmp
memory/3500-117-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-118-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-119-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-120-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-121-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-122-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-123-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-124-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-125-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-126-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-127-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-128-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-129-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-130-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-131-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-132-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-133-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-134-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-136-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-135-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-137-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-138-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-140-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-139-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-141-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-142-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-143-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-144-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-145-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-146-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-148-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-149-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-151-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-150-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-147-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-152-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-153-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-154-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-155-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-156-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-158-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-157-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-160-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-159-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-161-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-162-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-163-0x00000000049A0000-0x0000000004EC0000-memory.dmp
memory/3500-165-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-166-0x00000000049A0000-0x0000000004EC0000-memory.dmp
memory/3500-167-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-168-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-169-0x0000000077600000-0x000000007778E000-memory.dmp
memory/3500-171-0x00000000049A0000-0x0000000004EC0000-memory.dmp
memory/3500-170-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/3500-172-0x0000000061DC0000-0x0000000062405000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
50s
Max time network
59s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2540 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2540 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2540 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 13.69.109.131:443 | tcp | |
| N/A | 8.252.118.126:80 | tcp |
Files
memory/2756-117-0x0000000000000000-mapping.dmp
memory/2756-118-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-119-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-120-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-121-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-122-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-123-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-125-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-124-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-126-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-127-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-128-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-129-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-130-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-131-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-132-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-133-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-134-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-136-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-137-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-139-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-138-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-135-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-142-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-144-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-143-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-146-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-145-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-147-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-148-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-141-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-140-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-149-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-152-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-153-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-151-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-150-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-154-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-155-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-156-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-157-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-158-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-159-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-160-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-161-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-162-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-163-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-164-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-165-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-166-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-167-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2756-168-0x0000000077580000-0x000000007770E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 4704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 4704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 4704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libeay32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libeay32.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 51.105.71.137:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/4704-116-0x0000000000000000-mapping.dmp
memory/4704-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4704-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
51s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2656 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2656 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 636
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.80.210:443 | tcp | |
| N/A | 67.27.153.254:80 | tcp |
Files
memory/2696-115-0x0000000000000000-mapping.dmp
memory/2696-116-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-117-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-118-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-119-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-120-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-121-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-122-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-123-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-124-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-125-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-127-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-126-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-129-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-128-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-130-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-131-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-132-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-133-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-134-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-135-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-136-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-137-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-140-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-141-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-142-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-144-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-145-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-147-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-146-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-148-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-150-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-149-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-143-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-151-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-139-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-138-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-152-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-153-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-154-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-155-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-156-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-157-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-158-0x00000000775D0000-0x000000007775E000-memory.dmp
memory/2696-159-0x00000000775D0000-0x000000007775E000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
52s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2704 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2704 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2704 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\librainbow.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\librainbow.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 692
Network
| Country | Destination | Domain | Proto |
| N/A | 168.63.250.82:80 | tcp |
Files
memory/2868-116-0x0000000000000000-mapping.dmp
memory/2868-118-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-120-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-119-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-122-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-123-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-125-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-126-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-128-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-127-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-124-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-121-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-117-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-130-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-132-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-133-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-134-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-136-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-135-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-137-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-131-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-138-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-140-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-141-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-142-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-143-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-145-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-144-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-139-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-146-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-147-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-129-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-149-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-151-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-150-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-148-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-152-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-153-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-155-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-157-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-158-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-159-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-161-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-160-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-156-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-154-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-162-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-163-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-165-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-166-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-164-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2868-167-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/2868-168-0x0000000061940000-0x0000000061E60000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
51s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 3156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2988 wrote to memory of 3156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2988 wrote to memory of 3156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\platforms\qwindows.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\platforms\qwindows.dll,#1
Network
Files
memory/3156-118-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-119-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-120-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-122-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-123-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-125-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-124-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-127-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-126-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-121-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-128-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-129-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-117-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-116-0x0000000000000000-mapping.dmp
memory/3156-130-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-132-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-135-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-137-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-139-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-141-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-143-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-142-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-144-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-145-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-140-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-138-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-136-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-146-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-134-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-147-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-148-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-133-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-131-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-150-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-151-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-149-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-152-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-153-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-155-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-157-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-159-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-158-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-160-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-156-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-154-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-161-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-164-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-166-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-168-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-167-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-165-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-163-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-162-0x00000000779D0000-0x0000000077B5E000-memory.dmp
memory/3156-169-0x00000000779D0000-0x0000000077B5E000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
54s
Max time network
145s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 388 wrote to memory of 3720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 388 wrote to memory of 3720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 388 wrote to memory of 3720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\ssleay32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\ssleay32.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 52.182.143.208:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/3720-115-0x0000000000000000-mapping.dmp
memory/3720-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-119-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-122-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-130-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-131-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-133-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-132-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-137-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-136-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-134-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-150-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-152-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-153-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-157-0x0000000003EA0000-0x0000000003FDA000-memory.dmp
memory/3720-160-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-164-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-156-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-154-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-149-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/3720-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220901-en
Max time kernel
50s
Max time network
72s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2700 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2700 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2700 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 684
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.2:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/2808-120-0x0000000000000000-mapping.dmp
memory/2808-121-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-122-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-123-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-124-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-125-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-126-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-128-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-127-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-129-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-130-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-131-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-132-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-134-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-135-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-136-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-138-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-139-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-141-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-142-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-143-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-144-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-146-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-149-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-148-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-151-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-150-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-152-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-147-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-145-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-140-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-153-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-137-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-154-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-155-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-156-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-133-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-158-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-157-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-159-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-160-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-161-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-163-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-165-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-164-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-162-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-166-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-167-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-168-0x00000000042D0000-0x0000000004915000-memory.dmp
memory/2808-170-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-171-0x00000000042D0000-0x0000000004915000-memory.dmp
memory/2808-172-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-174-0x0000000068880000-0x0000000068DAE000-memory.dmp
memory/2808-173-0x00000000773D0000-0x000000007755E000-memory.dmp
memory/2808-176-0x0000000061940000-0x0000000061E60000-memory.dmp
memory/2808-177-0x00000000042D0000-0x0000000004915000-memory.dmp
memory/2808-175-0x00000000773D0000-0x000000007755E000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
49s
Max time network
147s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2808 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2808 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2808 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1
Network
Files
memory/2948-115-0x0000000000000000-mapping.dmp
memory/2948-116-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-117-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-118-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-119-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-120-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-121-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-122-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-124-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-123-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-125-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-126-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-127-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-128-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-129-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-130-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-131-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-132-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-133-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-134-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-135-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-136-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-137-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-138-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-139-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-140-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-142-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-143-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-144-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-145-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-147-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-149-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-148-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-150-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-151-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-146-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-141-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-152-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-153-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-154-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-155-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-156-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-159-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-160-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-162-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-165-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-164-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-163-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-161-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-158-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-157-0x0000000077960000-0x0000000077AEE000-memory.dmp
memory/2948-166-0x0000000077960000-0x0000000077AEE000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-01-09 01:58
Reported
2023-01-09 02:02
Platform
win10-20220812-en
Max time kernel
49s
Max time network
60s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MultiMC\updater.exe
"C:\Users\Admin\AppData\Local\Temp\MultiMC\updater.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.201.195:443 | tcp | |
| N/A | 95.101.78.106:80 | tcp |
Files
memory/2752-120-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-121-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-122-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-123-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-124-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-125-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-126-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-127-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-128-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-129-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-130-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-131-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-133-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-134-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-132-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-135-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-137-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-138-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-140-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-139-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-141-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-136-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-142-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-145-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-146-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-148-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-147-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-144-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-149-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-143-0x0000000077710000-0x000000007789E000-memory.dmp
memory/2752-150-0x0000000077710000-0x000000007789E000-memory.dmp