Malware Analysis Report

2025-01-02 11:52

Sample ID 230109-cd5xgabd54
Target MultiMC.zip
SHA256 198c817204d7e72e30f7c7778d88c24898e653e54a08bc9ee9e9ecbbe8e79732
Tags
bazarbackdoor backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

198c817204d7e72e30f7c7778d88c24898e653e54a08bc9ee9e9ecbbe8e79732

Threat Level: Known bad

The file MultiMC.zip was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor

BazarBackdoor

Bazar/Team9 Backdoor payload

Downloads MZ/PE file

Executes dropped EXE

Program crash

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-09 01:58

Signatures

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

49s

Max time network

70s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\NewLaunch.jar

Network

Country Destination Domain Proto
N/A 20.189.173.15:443 tcp
N/A 209.197.3.8:80 tcp

Files

memory/2628-122-0x0000000003490000-0x0000000004490000-memory.dmp

memory/2628-130-0x0000000003490000-0x0000000004490000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

50s

Max time network

73s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libMultiMC_logic.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libMultiMC_logic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libMultiMC_logic.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 712

Network

N/A

Files

memory/2668-120-0x0000000000000000-mapping.dmp

memory/2668-122-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-124-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-126-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-128-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-130-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-132-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-134-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-133-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-135-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-137-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-139-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-138-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-136-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-131-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-140-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-141-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-143-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-142-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-129-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-127-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-125-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-123-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-121-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-145-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-144-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-146-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-148-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-150-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-152-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-153-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-154-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-151-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-149-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-147-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-155-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-156-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-158-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-157-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-159-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-160-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-162-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-165-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-167-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-169-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-170-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-172-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-173-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-175-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-174-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-176-0x0000000000B30000-0x0000000001175000-memory.dmp

memory/2668-171-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-178-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-168-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-179-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-166-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-180-0x0000000000B30000-0x0000000001175000-memory.dmp

memory/2668-181-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-182-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-183-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-164-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-163-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-161-0x0000000077560000-0x00000000776EE000-memory.dmp

memory/2668-184-0x0000000063100000-0x000000006314F000-memory.dmp

memory/2668-185-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/2668-186-0x0000000061940000-0x0000000061E60000-memory.dmp

memory/2668-187-0x0000000000B30000-0x0000000001175000-memory.dmp

memory/2668-188-0x0000000068040000-0x0000000068270000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

50s

Max time network

72s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libnbt++.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libnbt++.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libnbt++.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 648

Network

Country Destination Domain Proto
N/A 20.189.173.2:443 tcp

Files

memory/2908-120-0x0000000000000000-mapping.dmp

memory/2908-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2908-167-0x0000000063100000-0x000000006314F000-memory.dmp

memory/2908-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

105s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libstdc++-6.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libstdc++-6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libstdc++-6.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 648

Network

Country Destination Domain Proto
N/A 20.50.73.9:443 tcp

Files

memory/1968-120-0x0000000000000000-mapping.dmp

memory/1968-121-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-122-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-123-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-124-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-125-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-126-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-127-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-128-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-129-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-130-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-131-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-132-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-133-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-134-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-136-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-139-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-138-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-141-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-142-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-140-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-137-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-135-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-143-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-144-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-147-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-146-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-148-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-149-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-151-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-150-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-152-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-145-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-154-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-156-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-155-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-153-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-157-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-158-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-159-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-160-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-161-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-162-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-164-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-163-0x0000000077710000-0x000000007789E000-memory.dmp

memory/1968-165-0x0000000077710000-0x000000007789E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

52s

Max time network

82s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Gui.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 684

Network

Country Destination Domain Proto
N/A 20.189.173.13:443 tcp
N/A 209.197.3.8:80 tcp

Files

memory/2688-117-0x0000000000000000-mapping.dmp

memory/2688-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-132-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-146-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-147-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-150-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-151-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-152-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-153-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-154-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-155-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-158-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-157-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-156-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-160-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-161-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-163-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-162-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-164-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-165-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-166-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/2688-159-0x0000000077A40000-0x0000000077BCE000-memory.dmp

memory/2688-167-0x0000000061940000-0x0000000061E60000-memory.dmp

memory/2688-168-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

70s

Max time network

92s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 3580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 3580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Network.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 708

Network

Country Destination Domain Proto
N/A 51.11.192.50:443 tcp
N/A 93.184.220.29:80 tcp

Files

memory/3580-116-0x0000000000000000-mapping.dmp

memory/3580-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

memory/3580-171-0x0000000068880000-0x0000000068DAE000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\zlib1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2728 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2728 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\zlib1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\zlib1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 616

Network

Country Destination Domain Proto
N/A 20.50.73.10:443 tcp
N/A 13.107.4.50:80 tcp

Files

memory/3056-117-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-116-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-118-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-115-0x0000000000000000-mapping.dmp

memory/3056-119-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-120-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-122-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-123-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-125-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-126-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-128-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-130-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-131-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-129-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-134-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-136-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-137-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-139-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-140-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-141-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-138-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-135-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-133-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-132-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-127-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-124-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-121-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-142-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-143-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-144-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-145-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-146-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-147-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-149-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-151-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-150-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-152-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-154-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-155-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-157-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-158-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-156-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-153-0x0000000077100000-0x000000007728E000-memory.dmp

memory/3056-148-0x0000000077100000-0x000000007728E000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

107s

Max time network

113s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjp2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjp2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjp2.dll,#1

Network

Country Destination Domain Proto
N/A 13.69.239.74:443 tcp

Files

memory/2676-120-0x0000000000000000-mapping.dmp

memory/2676-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2676-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

54s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Xml.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 684

Network

N/A

Files

memory/2816-115-0x0000000000000000-mapping.dmp

memory/2816-116-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-117-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-118-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-119-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-120-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-121-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-122-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-123-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-124-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-125-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-126-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-127-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-128-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-129-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-130-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-131-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-134-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-135-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-136-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-137-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-138-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-133-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-132-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-140-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-142-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-141-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-144-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-143-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-139-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-146-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-147-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-149-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-150-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-148-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-145-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-152-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-151-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-153-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-154-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-156-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-158-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-160-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-161-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-159-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-162-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-157-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-155-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-164-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-163-0x0000000077E00000-0x0000000077F8E000-memory.dmp

memory/2816-165-0x0000000068880000-0x0000000068DAE000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

143s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qico.dll,#1

Network

Country Destination Domain Proto
N/A 20.42.73.27:443 tcp
N/A 209.197.3.8:80 tcp

Files

memory/2984-120-0x0000000000000000-mapping.dmp

memory/2984-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-127-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-156-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-124-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-121-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

memory/2984-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 2112 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 2112 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
PID 2112 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
PID 2112 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\ProgramData\Oracle\Java\javapath\java.exe
PID 2112 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe C:\ProgramData\Oracle\Java\javapath\java.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 4408 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\MultiMC.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:/Users/Admin/AppData/Local/Temp/MultiMC/jars/JavaCheck.jar

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.0.1688250694\855777279" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 1616 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.3.353584372\1578043995" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2016 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 2224 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3204.13.400974331\74111330" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3204 "\\.\pipe\gecko-crash-server-pipe.3204" 3448 tab

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

"C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"

C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe

"C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 sourceforge.net udp
N/A 8.8.8.8:53 launchermeta.mojang.com udp
N/A 13.107.237.67:443 launchermeta.mojang.com tcp
N/A 104.18.10.128:80 sourceforge.net tcp
N/A 8.8.8.8:53 files.multimc.org udp
N/A 8.8.8.8:53 status.mojang.com udp
N/A 8.8.8.8:53 www.hackphoenix.com udp
N/A 8.8.8.8:53 v.hackphoenix.com udp
N/A 172.67.147.103:80 files.multimc.org tcp
N/A 188.114.97.0:80 v.hackphoenix.com tcp
N/A 172.67.167.163:443 www.hackphoenix.com tcp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 172.67.147.103:80 files.multimc.org tcp
N/A 172.67.147.103:80 files.multimc.org tcp
N/A 172.67.147.103:80 files.multimc.org tcp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 172.67.147.103:443 files.multimc.org tcp
N/A 104.208.16.88:443 tcp
N/A 127.0.0.1:49848 tcp
N/A 127.0.0.1:49851 tcp
N/A 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
N/A 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 8.8.8.8:53 a1887.dscq.akamai.net udp
N/A 8.8.8.8:53 search.services.mozilla.com udp
N/A 8.8.8.8:53 shavar.services.mozilla.com udp
N/A 52.41.192.45:443 shavar.services.mozilla.com tcp
N/A 34.160.46.54:443 search.services.mozilla.com tcp
N/A 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 8.8.8.8:53 a1887.dscq.akamai.net udp
N/A 8.8.8.8:53 search.r53-2.services.mozilla.com udp
N/A 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 8.8.8.8:53 search.r53-2.services.mozilla.com udp
N/A 8.8.8.8:53 push.services.mozilla.com udp
N/A 8.8.8.8:53 autopush.prod.mozaws.net udp
N/A 8.8.8.8:53 autopush.prod.mozaws.net udp
N/A 52.41.87.179:443 push.services.mozilla.com tcp
N/A 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
N/A 8.8.8.8:53 cs9.wac.phicdn.net udp
N/A 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
N/A 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 8.8.8.8:53 cs9.wac.phicdn.net udp
N/A 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 72.21.91.29:80 cs9.wac.phicdn.net tcp
N/A 8.8.8.8:53 snippets.cdn.mozilla.net udp
N/A 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
N/A 65.9.86.64:443 snippets.cdn.mozilla.net tcp
N/A 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 8.8.8.8:53 d228z91au11ukj.cloudfront.net udp
N/A 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
N/A 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
N/A 8.8.8.8:53 d228z91au11ukj.cloudfront.net udp
N/A 2.19.126.223:80 a1887.dscq.akamai.net tcp
N/A 127.0.0.1:49863 tcp
N/A 8.8.8.8:53 www.facebook.com udp
N/A 8.8.8.8:53 www.wikipedia.org udp
N/A 8.8.8.8:53 star-mini.c10r.facebook.com udp
N/A 8.8.8.8:53 youtube-ui.l.google.com udp
N/A 8.8.8.8:53 dyna.wikimedia.org udp
N/A 8.8.8.8:53 star-mini.c10r.facebook.com udp
N/A 8.8.8.8:53 youtube-ui.l.google.com udp
N/A 8.8.8.8:53 dyna.wikimedia.org udp
N/A 8.8.8.8:53 www.reddit.com udp
N/A 8.8.8.8:53 twitter.com udp
N/A 8.8.8.8:53 reddit.map.fastly.net udp
N/A 8.8.8.8:53 twitter.com udp
N/A 8.8.8.8:53 reddit.map.fastly.net udp
N/A 8.8.8.8:53 twitter.com udp
N/A 8.8.8.8:53 pki-goog.l.google.com udp
N/A 8.8.8.8:53 pki-goog.l.google.com udp
N/A 8.8.8.8:53 id.google.com udp
N/A 216.58.208.99:443 id.google.com tcp
N/A 8.8.8.8:53 id.google.com udp
N/A 8.8.8.8:53 id.google.com udp
N/A 8.8.8.8:53 i.ytimg.com udp
N/A 142.250.179.150:443 i.ytimg.com tcp
N/A 142.250.179.150:443 i.ytimg.com tcp
N/A 142.250.179.150:443 i.ytimg.com tcp
N/A 8.8.8.8:53 i.ytimg.com udp
N/A 8.8.8.8:53 i.ytimg.com udp
N/A 142.250.179.150:443 i.ytimg.com tcp
N/A 142.251.36.35:80 pki-goog.l.google.com tcp
N/A 8.8.8.8:53 apis.google.com udp
N/A 216.58.208.110:443 apis.google.com tcp
N/A 8.8.8.8:53 plus.l.google.com udp
N/A 8.8.8.8:53 plus.l.google.com udp
N/A 8.8.8.8:53 play.google.com udp
N/A 142.251.36.14:443 play.google.com tcp
N/A 142.251.36.14:443 play.google.com tcp
N/A 8.8.8.8:53 play.google.com udp
N/A 8.8.8.8:53 play.google.com udp
N/A 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
N/A 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
N/A 142.251.36.14:443 encrypted-tbn0.gstatic.com tcp
N/A 142.251.36.14:443 encrypted-tbn0.gstatic.com tcp
N/A 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
N/A 8.8.8.8:53 googleads.g.doubleclick.net udp
N/A 142.251.36.34:443 googleads.g.doubleclick.net tcp
N/A 8.8.8.8:53 googleads.g.doubleclick.net udp
N/A 8.8.8.8:53 googleads.g.doubleclick.net udp
N/A 8.8.8.8:53 java.com udp
N/A 95.101.74.137:443 java.com tcp
N/A 8.8.8.8:53 java.com udp
N/A 8.8.8.8:53 java.com udp
N/A 8.8.8.8:53 www.java.com udp
N/A 95.101.74.134:443 www.java.com tcp
N/A 8.8.8.8:53 e91569.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e91569.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
N/A 104.73.146.31:443 static.ocecdn.oraclecloud.com tcp
N/A 8.8.8.8:53 e11445.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e11445.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 s.go-mpulse.net udp
N/A 23.222.18.199:443 s.go-mpulse.net tcp
N/A 8.8.8.8:53 e4518.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e4518.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 consent.trustarc.com udp
N/A 8.8.8.8:53 www.oracle.com udp
N/A 104.73.130.18:443 www.oracle.com tcp
N/A 8.8.8.8:53 e2581.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e2581.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 consent.trustarc.com udp
N/A 8.8.8.8:53 consent.trustarc.com udp
N/A 108.156.60.112:443 consent.trustarc.com tcp
N/A 104.73.130.18:443 e2581.dscx.akamaiedge.net tcp
N/A 8.8.8.8:53 c.oracleinfinity.io udp
N/A 104.73.145.144:443 c.oracleinfinity.io tcp
N/A 8.8.8.8:53 e11123.x.akamaiedge.net udp
N/A 8.8.8.8:53 e11123.x.akamaiedge.net udp
N/A 108.156.60.112:443 consent.trustarc.com tcp
N/A 8.8.8.8:53 c.go-mpulse.net udp
N/A 173.223.112.132:443 c.go-mpulse.net tcp
N/A 8.8.8.8:53 e4518.dscapi7.akamaiedge.net udp
N/A 8.8.8.8:53 e4518.dscapi7.akamaiedge.net udp
N/A 8.8.8.8:53 dc.oracleinfinity.io udp
N/A 147.154.233.124:443 dc.oracleinfinity.io tcp
N/A 8.8.8.8:53 dc.oracleinfinity.io.akadns.net udp
N/A 8.8.8.8:53 dc.oracleinfinity.io.akadns.net udp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 8.8.8.8:53 oracle.112.2o7.net udp
N/A 15.236.125.10:443 oracle.112.2o7.net tcp
N/A 8.8.8.8:53 oracle.112.2o7.net udp
N/A 8.8.8.8:53 oracle.112.2o7.net udp
N/A 104.73.145.144:443 e11123.x.akamaiedge.net tcp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 8.8.8.8:53 status.mojang.com udp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 8.8.8.8:53 www.java.com udp
N/A 8.8.8.8:53 e91569.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e91569.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
N/A 8.8.8.8:53 e11445.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e11445.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 s.go-mpulse.net udp
N/A 8.8.8.8:53 e4518.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e4518.dscx.akamaiedge.net udp
N/A 173.223.112.132:443 e4518.dscapi7.akamaiedge.net tcp
N/A 8.8.8.8:53 c.go-mpulse.net udp
N/A 8.8.8.8:53 e4518.dscapi7.akamaiedge.net udp
N/A 8.8.8.8:53 e4518.dscapi7.akamaiedge.net udp
N/A 8.8.8.8:53 www.oracle.com udp
N/A 8.8.8.8:53 e2581.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e2581.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 c.oracleinfinity.io udp
N/A 8.8.8.8:53 e11123.x.akamaiedge.net udp
N/A 8.8.8.8:53 e11123.x.akamaiedge.net udp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 147.154.233.124:443 dc.oracleinfinity.io.akadns.net tcp
N/A 8.8.8.8:53 javadl.oracle.com udp
N/A 104.73.148.114:443 javadl.oracle.com tcp
N/A 8.8.8.8:53 e13073.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 e13073.dscx.akamaiedge.net udp
N/A 8.8.8.8:53 sdlc-esd.oracle.com udp
N/A 2.20.8.83:443 sdlc-esd.oracle.com tcp
N/A 8.8.8.8:53 e2875.dscd.akamaiedge.net udp
N/A 8.8.8.8:53 e2875.dscd.akamaiedge.net udp
N/A 8.8.8.8:53 status.mojang.com udp
N/A 8.8.8.8:53 status.mojang.com udp
N/A 8.8.8.8:53 javadl-esd-secure.oracle.com udp
N/A 23.65.205.24:443 javadl-esd-secure.oracle.com tcp

Files

memory/2112-120-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-121-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-122-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-123-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-124-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-125-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-126-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-127-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-128-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-129-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-130-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-131-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-132-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-133-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-134-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-135-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-138-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-140-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-141-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-142-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-144-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-145-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-143-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-139-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-137-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-147-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-148-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-149-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-150-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-151-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-152-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-153-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-154-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-155-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-157-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-159-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-161-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-162-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-164-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-165-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-166-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-163-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-167-0x0000000001180000-0x00000000017C5000-memory.dmp

memory/2112-169-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-160-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-158-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-170-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-156-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-146-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-136-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-171-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-172-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-173-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/2112-175-0x0000000063100000-0x000000006314F000-memory.dmp

memory/2112-174-0x0000000061940000-0x0000000061E60000-memory.dmp

memory/2112-176-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-177-0x0000000001180000-0x00000000017C5000-memory.dmp

memory/2112-178-0x0000000001180000-0x00000000017C5000-memory.dmp

memory/2112-180-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-182-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-181-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/2112-179-0x0000000068040000-0x0000000068270000-memory.dmp

memory/2112-183-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-184-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-185-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-186-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-187-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-189-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/2112-188-0x00000000772B0000-0x000000007743E000-memory.dmp

memory/1604-235-0x0000000000000000-mapping.dmp

memory/4172-237-0x0000000000000000-mapping.dmp

memory/1116-236-0x0000000000000000-mapping.dmp

memory/1604-255-0x00000000027C0000-0x00000000037C0000-memory.dmp

memory/2112-256-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/2112-257-0x0000000061940000-0x0000000061E60000-memory.dmp

memory/2112-258-0x0000000001180000-0x00000000017C5000-memory.dmp

memory/2112-259-0x0000000068040000-0x0000000068270000-memory.dmp

memory/2112-260-0x0000000000400000-0x00000000006C2000-memory.dmp

memory/1604-261-0x00000000027C0000-0x00000000037C0000-memory.dmp

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

memory/640-264-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 05978a920a46b218db8ddbd2491b7916
SHA1 1888d4e762b62feb193a8da595f35b8b7ceafc77
SHA256 44ca11bf67064507be4d33b47279d06616dff1705608fcea57ea7279267cfb29
SHA512 a4be4f6dab361155b7d883bd194ca06ca7115214a58e2218a31bac2a8b9e91ff604f5b2fb758326b53dddfe5a010ca49b19441d48248fb276fee5a5a05c030cc

C:\Users\Admin\AppData\Local\Temp\jds240684296.tmp\jre-8u351-windows-x64.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

48s

Max time network

72s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 688

Network

Country Destination Domain Proto
N/A 20.50.201.195:443 tcp
N/A 67.26.111.254:80 tcp

Files

memory/2844-120-0x0000000000000000-mapping.dmp

memory/2844-121-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-122-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-123-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-124-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-125-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-126-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-127-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-128-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-130-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-129-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-131-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-132-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-133-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-134-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-136-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-135-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-137-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-138-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-140-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-139-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-141-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-142-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-143-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-144-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-145-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-146-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-147-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-148-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-149-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-150-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-151-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-152-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-153-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-154-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-155-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-156-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-158-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-157-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-159-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-160-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-162-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-164-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-163-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-161-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-165-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-167-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-168-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-166-0x0000000077D90000-0x0000000077F1E000-memory.dmp

memory/2844-169-0x0000000068880000-0x0000000068DAE000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

48s

Max time network

64s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qdds.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qdds.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qdds.dll,#1

Network

Country Destination Domain Proto
N/A 20.42.73.24:443 tcp
N/A 93.184.221.240:80 tcp

Files

memory/3776-117-0x0000000000000000-mapping.dmp

memory/3776-118-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-119-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-120-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-121-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-122-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-123-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-124-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-125-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-126-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-127-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-128-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-129-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-130-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-131-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-132-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-133-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-134-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-135-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-136-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-137-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-139-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-142-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-144-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-145-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-146-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-149-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-151-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-152-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-153-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-150-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-147-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-154-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-155-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-148-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-143-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-140-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-156-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-157-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-158-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-159-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-160-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-161-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-141-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-138-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-163-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-164-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-166-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-165-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-162-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-167-0x0000000077470000-0x00000000775FE000-memory.dmp

memory/3776-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

53s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwbmp.dll,#1

Network

Country Destination Domain Proto
N/A 20.42.65.89:443 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2720-115-0x0000000000000000-mapping.dmp

memory/2720-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2720-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

143s

Max time network

147s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Signatures

N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\MultiMC\jars\JavaCheck.jar

Network

Country Destination Domain Proto
N/A 2.16.119.157:443 tcp
N/A 20.42.65.90:443 tcp

Files

memory/3512-125-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

memory/3512-126-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

50s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libssl32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libssl32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libssl32.dll,#1

Network

N/A

Files

memory/4584-118-0x0000000000000000-mapping.dmp

memory/4584-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-160-0x0000000004250000-0x000000000438A000-memory.dmp

memory/4584-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4584-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

52s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4944 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4944 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qgif.dll,#1

Network

Country Destination Domain Proto
N/A 20.189.173.14:443 tcp
N/A 95.101.78.82:80 tcp

Files

memory/4656-116-0x0000000000000000-mapping.dmp

memory/4656-117-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-118-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-119-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-120-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-121-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-122-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-123-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-124-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-125-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-126-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-127-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-128-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-129-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-130-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-131-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-132-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-133-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-134-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-135-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-136-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-137-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-138-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-139-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-140-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-141-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-145-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-146-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-148-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-149-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-150-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-147-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-144-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-152-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-151-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-143-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-154-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-155-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-156-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-157-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-153-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-142-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-158-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-159-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-160-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-161-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-163-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-162-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-165-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-166-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-164-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4656-167-0x0000000077520000-0x00000000776AE000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

53s

Max time network

75s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qjpeg.dll,#1

Network

Country Destination Domain Proto
N/A 13.78.111.198:443 tcp

Files

memory/2692-116-0x0000000000000000-mapping.dmp

memory/2692-117-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-118-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-119-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-120-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-121-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-122-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-123-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-124-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-125-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-126-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-127-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-128-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-129-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-130-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-132-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-131-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-133-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-134-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-135-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-136-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-137-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-138-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-139-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-140-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-141-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-142-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-143-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-144-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-145-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-146-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-147-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-148-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-149-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-150-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-151-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-152-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-153-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-154-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-155-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-157-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-156-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-159-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-158-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-160-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-162-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-163-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-161-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-165-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-166-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-164-0x0000000077B40000-0x0000000077CCE000-memory.dmp

memory/2692-167-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

98s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3520 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3520 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qsvg.dll,#1

Network

Country Destination Domain Proto
N/A 20.189.173.10:443 tcp

Files

memory/5024-115-0x0000000000000000-mapping.dmp

memory/5024-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

memory/5024-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

50s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwebp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 4744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 4744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 4744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwebp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qwebp.dll,#1

Network

Country Destination Domain Proto
N/A 52.182.143.210:443 tcp
N/A 87.248.202.1:80 tcp

Files

memory/4744-120-0x0000000000000000-mapping.dmp

memory/4744-121-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-123-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-124-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-126-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-128-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-131-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-133-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-135-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-137-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-139-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-140-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-142-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-144-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-143-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-141-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-138-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-136-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-134-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-132-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-146-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-145-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-147-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-130-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-129-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-127-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-125-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-122-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-148-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-150-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-151-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-149-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-152-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-155-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-156-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-154-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-157-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-158-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-153-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-159-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-160-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-161-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-162-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-163-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-164-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-165-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-169-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-170-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-168-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-167-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-166-0x0000000077850000-0x00000000779DE000-memory.dmp

memory/4744-171-0x0000000077850000-0x00000000779DE000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

48s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libwinpthread-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 4892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 4892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 4892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libwinpthread-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libwinpthread-1.dll,#1

Network

Country Destination Domain Proto
N/A 52.168.112.66:443 tcp

Files

memory/4892-117-0x0000000000000000-mapping.dmp

memory/4892-119-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-121-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-124-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-126-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-128-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-129-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-130-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-132-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-133-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-134-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-136-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-137-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-139-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-141-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-140-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-138-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-135-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-131-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-142-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-143-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-127-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-144-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-125-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-123-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-145-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-146-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-122-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-120-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-118-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-147-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-149-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-151-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-153-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-152-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-155-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-156-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-157-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-158-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-154-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-150-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-148-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-159-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-160-0x0000000077B00000-0x0000000077C8E000-memory.dmp

memory/4892-161-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

69s

Max time network

92s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Widgets.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 704

Network

Country Destination Domain Proto
N/A 51.11.192.50:443 tcp
N/A 93.184.220.29:80 tcp

Files

memory/3500-116-0x0000000000000000-mapping.dmp

memory/3500-117-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-118-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-119-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-120-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-121-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-122-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-123-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-124-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-125-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-126-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-127-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-128-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-129-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-130-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-131-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-132-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-133-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-134-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-136-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-135-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-137-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-138-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-140-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-139-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-141-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-142-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-143-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-144-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-145-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-146-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-148-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-149-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-151-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-150-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-147-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-152-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-153-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-154-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-155-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-156-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-158-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-157-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-160-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-159-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-161-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-162-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-163-0x00000000049A0000-0x0000000004EC0000-memory.dmp

memory/3500-165-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-166-0x00000000049A0000-0x0000000004EC0000-memory.dmp

memory/3500-167-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-168-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-169-0x0000000077600000-0x000000007778E000-memory.dmp

memory/3500-171-0x00000000049A0000-0x0000000004EC0000-memory.dmp

memory/3500-170-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/3500-172-0x0000000061DC0000-0x0000000062405000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

50s

Max time network

59s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2540 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2540 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\iconengines\qsvgicon.dll,#1

Network

Country Destination Domain Proto
N/A 13.69.109.131:443 tcp
N/A 8.252.118.126:80 tcp

Files

memory/2756-117-0x0000000000000000-mapping.dmp

memory/2756-118-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-119-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-120-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-121-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-122-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-123-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-125-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-124-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-126-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-127-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-128-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-129-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-130-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-131-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-132-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-133-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-134-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-136-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-137-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-139-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-138-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-135-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-142-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-144-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-143-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-146-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-145-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-147-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-148-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-141-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-140-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-149-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-152-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-153-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-151-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-150-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-154-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-155-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-156-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-157-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-158-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-159-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-160-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-161-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-162-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-163-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-164-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-165-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-166-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-167-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2756-168-0x0000000077580000-0x000000007770E000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

143s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libeay32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 4704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 4704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 4704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libeay32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libeay32.dll,#1

Network

Country Destination Domain Proto
N/A 51.105.71.137:443 tcp
N/A 93.184.221.240:80 tcp

Files

memory/4704-116-0x0000000000000000-mapping.dmp

memory/4704-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

memory/4704-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

51s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 636

Network

Country Destination Domain Proto
N/A 20.50.80.210:443 tcp
N/A 67.27.153.254:80 tcp

Files

memory/2696-115-0x0000000000000000-mapping.dmp

memory/2696-116-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-117-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-118-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-119-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-120-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-121-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-122-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-123-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-124-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-125-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-127-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-126-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-129-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-128-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-130-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-131-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-132-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-133-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-134-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-135-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-136-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-137-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-140-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-141-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-142-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-144-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-145-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-147-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-146-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-148-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-150-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-149-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-143-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-151-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-139-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-138-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-152-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-153-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-154-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-155-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-156-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-157-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-158-0x00000000775D0000-0x000000007775E000-memory.dmp

memory/2696-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

52s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\librainbow.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2704 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2704 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\librainbow.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\librainbow.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 692

Network

Country Destination Domain Proto
N/A 168.63.250.82:80 tcp

Files

memory/2868-116-0x0000000000000000-mapping.dmp

memory/2868-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-120-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-123-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-130-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-132-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-133-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-134-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-136-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-135-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-137-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-131-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-138-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-140-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-141-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-142-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-144-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-146-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-147-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-150-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-148-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-152-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-153-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-155-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-161-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-154-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-163-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2868-167-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/2868-168-0x0000000061940000-0x0000000061E60000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

51s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\platforms\qwindows.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 3156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 3156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 3156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\platforms\qwindows.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\platforms\qwindows.dll,#1

Network

N/A

Files

memory/3156-118-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-119-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-120-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-122-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-123-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-125-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-124-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-127-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-126-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-121-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-128-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-129-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-117-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-116-0x0000000000000000-mapping.dmp

memory/3156-130-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-132-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-135-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-137-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-139-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-141-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-143-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-142-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-144-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-145-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-140-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-138-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-136-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-146-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-134-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-147-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-148-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-133-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-131-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-150-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-151-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-149-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-152-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-153-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-155-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-157-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-159-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-158-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-160-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-156-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-154-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-161-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-164-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-166-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-168-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-167-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-165-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-163-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-162-0x00000000779D0000-0x0000000077B5E000-memory.dmp

memory/3156-169-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

54s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\ssleay32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 3720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 388 wrote to memory of 3720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 388 wrote to memory of 3720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\ssleay32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\ssleay32.dll,#1

Network

Country Destination Domain Proto
N/A 52.182.143.208:443 tcp
N/A 93.184.221.240:80 tcp

Files

memory/3720-115-0x0000000000000000-mapping.dmp

memory/3720-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-119-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-122-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-130-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-131-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-133-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-132-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-137-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-136-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-134-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-150-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-152-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-153-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-157-0x0000000003EA0000-0x0000000003FDA000-memory.dmp

memory/3720-160-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-164-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-156-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-154-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-149-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3720-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220901-en

Max time kernel

50s

Max time network

72s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\Qt5Svg.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 684

Network

Country Destination Domain Proto
N/A 20.189.173.2:443 tcp
N/A 87.248.202.1:80 tcp

Files

memory/2808-120-0x0000000000000000-mapping.dmp

memory/2808-121-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-122-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-123-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-124-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-125-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-126-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-128-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-127-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-129-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-130-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-131-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-132-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-134-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-135-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-136-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-138-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-139-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-141-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-142-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-143-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-144-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-146-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-149-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-148-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-151-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-150-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-152-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-147-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-145-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-140-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-153-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-137-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-154-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-155-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-156-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-133-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-158-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-157-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-159-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-160-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-161-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-163-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-165-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-164-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-162-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-166-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-167-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-168-0x00000000042D0000-0x0000000004915000-memory.dmp

memory/2808-170-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-171-0x00000000042D0000-0x0000000004915000-memory.dmp

memory/2808-172-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-174-0x0000000068880000-0x0000000068DAE000-memory.dmp

memory/2808-173-0x00000000773D0000-0x000000007755E000-memory.dmp

memory/2808-176-0x0000000061940000-0x0000000061E60000-memory.dmp

memory/2808-177-0x00000000042D0000-0x0000000004915000-memory.dmp

memory/2808-175-0x00000000773D0000-0x000000007755E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

49s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2808 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2808 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MultiMC\imageformats\qicns.dll,#1

Network

N/A

Files

memory/2948-115-0x0000000000000000-mapping.dmp

memory/2948-116-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-117-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-118-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-119-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-120-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-121-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-122-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-124-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-123-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-125-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-126-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-127-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-128-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-129-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-130-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-131-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-132-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-133-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-134-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-135-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-136-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-137-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-138-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-139-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-140-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-142-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-143-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-144-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-145-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-147-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-149-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-148-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-150-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-151-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-146-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-141-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-152-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-153-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-154-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-155-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-156-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-159-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-160-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-162-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-165-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-164-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-163-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-161-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-158-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-157-0x0000000077960000-0x0000000077AEE000-memory.dmp

memory/2948-166-0x0000000077960000-0x0000000077AEE000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2023-01-09 01:58

Reported

2023-01-09 02:02

Platform

win10-20220812-en

Max time kernel

49s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MultiMC\updater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MultiMC\updater.exe

"C:\Users\Admin\AppData\Local\Temp\MultiMC\updater.exe"

Network

Country Destination Domain Proto
N/A 20.50.201.195:443 tcp
N/A 95.101.78.106:80 tcp

Files

memory/2752-120-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-121-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-122-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-123-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-124-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-125-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-126-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-127-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-128-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-129-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-130-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-131-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-133-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-134-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-132-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-135-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-137-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-138-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-140-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-139-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-141-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-136-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-142-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-145-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-146-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-148-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-147-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-144-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-149-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-143-0x0000000077710000-0x000000007789E000-memory.dmp

memory/2752-150-0x0000000077710000-0x000000007789E000-memory.dmp