File name:

mmc-cracked-win32.zip

Full analysis: https://app.any.run/tasks/b8dc2c84-b6ec-403c-a47a-eb204ff0284c
Verdict: Malicious activity
Analysis date: May 12, 2024, 10:01:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

4D69FCB6FF2CBAB6CFD2F93AEC09ADF8

SHA1:

4146B34C7CD529092A0A8517F1CF1E440680EEE9

SHA256:

23488A63F94A15EF5F92D4089754607E7F9AA9AA7E29E3F65A6E152B8C94D59A

SSDEEP:

98304:gLaQlaaQF5FjrDbFUeCjpdXRnBO8hIYi3tRz+DREIJ3p4crRtuj8iazdyVV1YW9L:O/7DMZYbamk9xicHJcWx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)
      • UltimMC.exe (PID: 312)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3980)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3980)

    • Reads settings of System Certificates

      • UltimMC.exe (PID: 312)

    • Checks for Java to be installed

      • UltimMC.exe (PID: 312)
      • javaw.exe (PID: 692)
      • javaw.exe (PID: 1812)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)

    • Reads the computer name

      • UltimMC.exe (PID: 312)
      • wmpnscfg.exe (PID: 2464)

    • Create files in a temporary directory

      • UltimMC.exe (PID: 312)
      • javaw.exe (PID: 616)
      • javaw.exe (PID: 692)
      • javaw.exe (PID: 1812)
      • javaw.exe (PID: 1940)

    • Checks supported languages

      • UltimMC.exe (PID: 312)
      • javaw.exe (PID: 616)
      • javaw.exe (PID: 692)
      • javaw.exe (PID: 1812)
      • javaw.exe (PID: 1940)
      • wmpnscfg.exe (PID: 2464)

    • Reads the machine GUID from the registry

      • UltimMC.exe (PID: 312)

    • Manual execution by a user

      • UltimMC.exe (PID: 312)
      • wmpnscfg.exe (PID: 2464)

    • Creates files in the program directory

      • javaw.exe (PID: 692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2024:04:01 00:53:56
ZipCRC: 0xe2707840
ZipCompressedSize: 18501
ZipUncompressedSize: 45056
ZipFileName: UltimMC/iconengines/qsvgicon.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe ultimmc.exe javaw.exe no specs javaw.exe no specs icacls.exe no specs javaw.exe no specs javaw.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\UltimMC.exe" C:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\UltimMC.exe
explorer.exe
User:
admin
Company:
UltimMC Contributors
Integrity Level:
MEDIUM
Description:
A Minecraft Launcher
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\mmc-cracked-win32\ultimmc\ultimmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\mmc-cracked-win32\ultimmc\liblauncher_iconfix.dll
c:\users\admin\desktop\mmc-cracked-win32\ultimmc\qt5core.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
616"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar C:/Users/admin/Desktop/mmc-cracked-win32/UltimMC/jars/JavaCheck.jarC:\Program Files\Java\jre1.8.0_271\bin\javaw.exeUltimMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
692javaw -jar C:/Users/admin/Desktop/mmc-cracked-win32/UltimMC/jars/JavaCheck.jarC:\Program Files\Common Files\Oracle\Java\javapath_target_52116515\javaw.exeUltimMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\common files\oracle\java\javapath_target_52116515\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1812javaw -Xms512m -Xmx1024m -jar C:/Users/admin/Desktop/mmc-cracked-win32/UltimMC/jars/JavaCheck.jarC:\Program Files\Common Files\Oracle\Java\javapath_target_52116515\javaw.exeUltimMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\common files\oracle\java\javapath_target_52116515\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1940"C:\Program Files\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/admin/Desktop/mmc-cracked-win32/UltimMC/jars/JavaCheck.jarC:\Program Files\Common Files\Oracle\Java\javapath_target_52116515\javaw.exeUltimMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\common files\oracle\java\javapath_target_52116515\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2068C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2464"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\mmc-cracked-win32.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
6 244
Read events
6 215
Write events
29
Delete events
0

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\mmc-cracked-win32.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
44
Suspicious files
67
Text files
77
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\imageformats\qicns.dllexecutable
MD5:3B48F732F811EA6EA4FCC18808A7DF1E
SHA256:5DA98AC16C329354B1B709B20FCF797F3FBDB8D3E834054568D2FF68E897851D
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\imageformats\qgif.dllexecutable
MD5:67598FC68A992F106BFAD56B22CAC886
SHA256:000BBACC0FA451C61413E50B3EF63D3461DA422B3425404D8952A52182121B6D
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\imageformats\qwbmp.dllexecutable
MD5:8E1EB9386572D0C7E62E0230A67FF987
SHA256:E7BDD9C34A62B3B46D8E7D224BE3F5F7607A27634A8A6FD4F85549869F2D1145
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\jars\NewLaunch.jarjava
MD5:B299FDF27FF160EB7D3D7D941622D1D8
SHA256:8B6AEAFAD756DFF396A1A27691856A36D95F74144CE5B5C40AA24A1ADFF0E8A0
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\imageformats\qsvg.dllexecutable
MD5:7EB5B428DE2FD5CE7F361BBF3D6AADA4
SHA256:C818B37D77C84E3A9963A761BAE3EEFC73CCCD3485EE6CB1C085C670041E9C59
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\iconengines\qsvgicon.dllexecutable
MD5:CBB708ACDBCFD89E1DE38E2C4AA9192A
SHA256:8CB93B212C02FD6D222E985E629DF698227323C43B7F0B71BE3649AA8CB3CC2F
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\platforms\qwindows.dllexecutable
MD5:56954E18ADD3156CABA4489616E892DD
SHA256:8745FCF14809FCCD3ACB3E579993CAD589A1203D0BD3CB1ACD5D3A9BB0E92583
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\libLauncher_rainbow.dllexecutable
MD5:86DFE4963FA363E37F18D052BBD2CFDF
SHA256:6CEC3ED1C60DC464B938DC1FA152C92A773D9A6457E40BC48FD993A30908C819
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\libssp-0.dllexecutable
MD5:D6859975AAF6D3AA92F2D50F6E9876A0
SHA256:17329C4C19E8F23CDE9C99155EB3F8759F8D2383AD856C32A51B3B9FA2846811
3980WinRAR.exeC:\Users\admin\Desktop\mmc-cracked-win32\UltimMC\libwinpthread-1.dllexecutable
MD5:D128AE39A79E5D196FC001907B5EC3D1
SHA256:4195AC1E3A4A8056DE42C31D511E0E595772439ADBA96180B8953EF5F135F7A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
10
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
312
UltimMC.exe
104.21.5.18:443
files.multimc.org
CLOUDFLARENET
unknown
312
UltimMC.exe
13.107.213.45:443
session.minecraft.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
files.multimc.org
  • 104.21.5.18
  • 172.67.132.190
unknown
multimc.org
  • 104.21.5.18
  • 172.67.132.190
whitelisted
meta.multimc.org
  • 104.21.5.18
  • 172.67.132.190
whitelisted
authserver.mojang.com
unknown
session.minecraft.net
  • 13.107.213.45
  • 13.107.246.45
unknown
textures.minecraft.net
  • 13.107.246.45
  • 13.107.213.45
whitelisted
api.mojang.com
  • 13.107.213.45
  • 13.107.246.45
whitelisted
libraries.minecraft.net
  • 13.107.213.45
  • 13.107.246.45
shared
piston-data.mojang.com
  • 13.107.213.45
  • 13.107.246.45
unknown
piston-meta.mojang.com
  • 13.107.213.45
  • 13.107.246.45
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mmc-cracked-win32.zip