File name:

mmc-develop-win32.zip

Full analysis: https://app.any.run/tasks/9775b820-23f3-414c-955f-84320fd4c90d
Verdict: Malicious activity
Analysis date: November 07, 2023, 19:10:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

1A332FE339F321EBB3B91CBE6F7034DC

SHA1:

94B8E884CBF59378754BC300E60E570ED204E819

SHA256:

85C9B01515C4F19F797D8753D7187F463B3C742012BD22D3EA84C222EA7F5A76

SSDEEP:

98304:PKSe0AxsA44S7ZENwbFjCJxGE/PnVtMbbi/iC4AzQIbs/ZIqh96p+aekQff+MzVK:sCfBbh2n42DHPlWL60jYcnXBih

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • MultiMC.exe (PID: 2928)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • MultiMC.exe (PID: 2928)

    • Checks for Java to be installed

      • MultiMC.exe (PID: 2928)
      • javaw.exe (PID: 3524)
      • javaw.exe (PID: 3556)

  • INFO

    • Checks supported languages

      • MultiMC.exe (PID: 2928)
      • javaw.exe (PID: 3472)
      • javaw.exe (PID: 3524)
      • javaw.exe (PID: 3556)
      • wmpnscfg.exe (PID: 4016)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3212)

    • Reads the computer name

      • MultiMC.exe (PID: 2928)
      • wmpnscfg.exe (PID: 4016)

    • Reads the machine GUID from the registry

      • MultiMC.exe (PID: 2928)
      • wmpnscfg.exe (PID: 4016)

    • Create files in a temporary directory

      • javaw.exe (PID: 3472)
      • javaw.exe (PID: 3524)
      • MultiMC.exe (PID: 2928)
      • javaw.exe (PID: 3556)

    • Creates files in the program directory

      • javaw.exe (PID: 3524)
      • javaw.exe (PID: 3472)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:09:17 11:21:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MultiMC/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs multimc.exe javaw.exe no specs javaw.exe no specs icacls.exe no specs javaw.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\MultiMC.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\MultiMC.exe
WinRAR.exe
User:
admin
Company:
MultiMC Contributors
Integrity Level:
MEDIUM
Description:
MultiMC Launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3212.24462\multimc\multimc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rar$exa3212.24462\multimc\liblauncher_iconfix.dll
c:\users\admin\appdata\local\temp\rar$exa3212.24462\multimc\qt5core.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3212"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\mmc-develop-win32.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3472"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar C:/Users/admin/AppData/Local/Temp/Rar$EXa3212.24462/MultiMC/jars/JavaCheck.jarC:\Program Files\Java\jre1.8.0_271\bin\javaw.exeMultiMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3524javaw -jar C:/Users/admin/AppData/Local/Temp/Rar$EXa3212.24462/MultiMC/jars/JavaCheck.jarC:\Program Files\Common Files\Oracle\Java\javapath_target_52116515\javaw.exeMultiMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\common files\oracle\java\javapath_target_52116515\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3556javaw -Xms512m -Xmx1024m -jar C:/Users/admin/AppData/Local/Temp/Rar$EXa3212.24462/MultiMC/jars/JavaCheck.jarC:\Program Files\Common Files\Oracle\Java\javapath_target_52116515\javaw.exeMultiMC.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\common files\oracle\java\javapath_target_52116515\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3584C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
4016"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
2 992
Read events
2 971
Write events
16
Delete events
5

Modification events

(PID) Process:(3212) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3212) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
30
Suspicious files
12
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\jars\NewLaunch.jarjava
MD5:9395A802A45948D7BDBEFC03A563B92C
SHA256:255AC2B99904CAD700504D01881AE0D018EC313D5317DE1609101D2C8E57B83C
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\jars\JavaCheck.jarjava
MD5:B1EA021A522920256AF04F2770691D21
SHA256:03382AA4EB7A8E0989D445E7749DCD90FA9703620A24D384D8DE2DDB789F9FE9
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\Qt5Core.dllexecutable
MD5:9C31C47941EDD8AED4BB51A3BE9C6EA2
SHA256:79B83C43AF99A9CB72A744AE2262C090227907907E8F2DEB937CD4E1F0965E4D
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\platforms\qwindows.dllexecutable
MD5:56954E18ADD3156CABA4489616E892DD
SHA256:8745FCF14809FCCD3ACB3E579993CAD589A1203D0BD3CB1ACD5D3A9BB0E92583
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\Qt5Widgets.dllexecutable
MD5:501D23A2E5E2F8BB1564AC627F674BC0
SHA256:5C16112F7F7454E2E802F4A18E0B9A9A0086B9AE29BAE35892D7D32F3FA81C94
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\libLauncher_nbt++.dllexecutable
MD5:A8FD1D3CA86576AF970775E814578DC0
SHA256:0DE8B725FF2074290B6C9F5F38A4650B84EAF299456C2DC5CD9E71B1E1962824
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\libssp-0.dllexecutable
MD5:D6859975AAF6D3AA92F2D50F6E9876A0
SHA256:17329C4C19E8F23CDE9C99155EB3F8759F8D2383AD856C32A51B3B9FA2846811
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\libLauncher_nbt++.dll.abinary
MD5:D33B558EF7BD4D8617686BA972D581EB
SHA256:41D0787573AC821BE0CE45BCADDC77440A1BB1B9CB077B3C86C39B75B1404B11
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\Qt5Svg.dllexecutable
MD5:96934C8F93716FB4C5AB7433C3FCF660
SHA256:ADB44DE5A537F5FADB9288E3852189F799BA7B95CEF847F2198A8864AB6F063B
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3212.24462\MultiMC\MultiMC.exeexecutable
MD5:028F895FFC4FCBCA816498FA009E672C
SHA256:4213D880E0BD7926FCB1CBDCB1FA94AB4D7E9810DF5E5FFD23D267194CF4D2A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
301
172.67.132.190:80
http://files.multimc.org/update/win32/develop/index.json
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
868
svchost.exe
184.30.20.134:80
armmf.adobe.com
AKAMAI-AS
DE
unknown
2928
MultiMC.exe
172.67.132.190:443
files.multimc.org
CLOUDFLARENET
US
unknown
2928
MultiMC.exe
172.67.132.190:80
files.multimc.org
CLOUDFLARENET
US
unknown
2928
MultiMC.exe
104.21.5.18:443
files.multimc.org
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 184.30.20.134
whitelisted
files.multimc.org
  • 172.67.132.190
  • 104.21.5.18
unknown
multimc.org
  • 172.67.132.190
  • 104.21.5.18
whitelisted
meta.multimc.org
  • 104.21.5.18
  • 172.67.132.190
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mmc-develop-win32.zip