Malware Analysis Report

2024-07-28 08:45

Sample ID 240610-dmwktsbh67
Target PrismLauncher-Windows-MSVC-Setup-8.3.exe
SHA256 c2fc663f23d734380807de7b7f5897376cdc1e3cd547d51ab515a3a4e72ab073
Tags
microsoft discovery phishing
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c2fc663f23d734380807de7b7f5897376cdc1e3cd547d51ab515a3a4e72ab073

Threat Level: Shows suspicious behavior

The file PrismLauncher-Windows-MSVC-Setup-8.3.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

microsoft discovery phishing

Loads dropped DLL

Checks computer location settings

Modifies file permissions

Executes dropped EXE

Checks installed software on the system

Detected potential entity reuse from brand microsoft.

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Kills process with taskkill

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 03:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 224

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qgif.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qgif.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240226-en

Max time kernel

231s

Max time network

303s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240226-en

Max time kernel

231s

Max time network

301s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Widgets.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Widgets.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.74.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/4424-0-0x00007FF9EADB0000-0x00007FF9EB3DD000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Xml.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Xml.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

273s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 2260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 240

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

259s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Network.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Network.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Svg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Svg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Svg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Svg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

272s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Network.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Network.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

269s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qjpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qjpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

270s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1292 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1292 wrote to memory of 3948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Gui.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Gui.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:22

Platform

win10v2004-20240508-en

Max time kernel

255s

Max time network

274s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TaskKill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\curseforge\URL Protocol C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\curseforge\shell\open\command C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\curseforge\shell C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\curseforge\shell\open C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\curseforge\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\PrismLauncher\\prismlauncher.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\curseforge C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TaskKill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 4876 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 4876 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 4876 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
PID 4876 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
PID 5104 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 5104 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 5104 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files\Java\jdk-1.8\bin\javaw.exe
PID 5104 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files\Java\jdk-1.8\bin\javaw.exe
PID 5104 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
PID 5104 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
PID 5104 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
PID 5104 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
PID 1576 wrote to memory of 1200 N/A C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 1576 wrote to memory of 1200 N/A C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 5104 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files\Java\jdk-1.8\bin\javaw.exe
PID 5104 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files\Java\jdk-1.8\bin\javaw.exe
PID 5104 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5104 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 4872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 4872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 3660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 752 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe

"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe"

C:\Windows\SysWOW64\TaskKill.exe

TaskKill /IM prismlauncher.exe /F

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe

javaw -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe

"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -Xms512m -Xmx4096m -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x308 0x4ac

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/link?otc=5AJKAG52

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffba9a46f8,0x7fffba9a4708,0x7fffba9a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13493920512912227442,1386848113877764280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 i18n.prismlauncher.org udp
US 185.199.109.153:443 i18n.prismlauncher.org tcp
US 8.8.8.8:53 153.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 prismlauncher.org udp
DE 3.72.140.173:443 prismlauncher.org tcp
US 8.8.8.8:53 173.140.72.3.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 meta.prismlauncher.org udp
US 185.199.108.153:443 meta.prismlauncher.org tcp
US 8.8.8.8:53 153.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.2:443 login.microsoftonline.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 152.199.21.175:443 logincdn.msftauth.net tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 152.199.21.175:443 logincdn.msftauth.net tcp
US 152.199.21.175:443 logincdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.2:443 browser.events.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsm596B.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

C:\Users\Admin\AppData\Local\Temp\nsm596B.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nsm596B.tmp\nsExec.dll

MD5 b4579bc396ace8cafd9e825ff63fe244
SHA1 32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
SHA256 01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
SHA512 3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

C:\Users\Admin\AppData\Local\Temp\nsm596B.tmp\modern-wizard.bmp

MD5 cbe40fd2b1ec96daedc65da172d90022
SHA1 366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA256 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA512 62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

MD5 289255ff339b0ff529f43acb848b91ea
SHA1 a1312d501279095225ce6fd1824abfc50d884791
SHA256 ef302e37bc7f02edea74acaf614ecb71a6aa6f8e703db6811502169c2102c7ee
SHA512 ca782bbbd5bfd39d3b7d21f9b6d8089d4fb2c3474b1045dd6d49512b3d146b6f57fe701c26c83043cf10cbc1bf9127ee78d10775c3716a7a1f578cf0481a80f1

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll

MD5 34abb42b63e71b09b72b48cf5b1dba53
SHA1 9f3111aab57a5f28a4ce9bf82ea208fa3eadb9a6
SHA256 c71e65b882a84f47114590784a256f14ba19202ec30b218ce4841b2c7256060b
SHA512 06acab5a04a5d3e6834ddc95229758d4adc7a7f0ef003c80e8d59a8241e295b196aceacce20c88879e1676405a2538d032ec6ac543258538e686878fb29f77f1

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Xml.dll

MD5 7fcfa82dd4a01915622c14931cc585dd
SHA1 079736f39ed5791df528fed5a12456285bfa1f18
SHA256 8b772f5f227b266c47655d02843bf51be6c50729acc28db7dced488d62f7ed4f
SHA512 caf98eecb1c57789b91dbef88c3f908f0652d29d93ae335526987a47f791d565e67e25ee4643abd006a39b2d9533449672c2c21df23cc61d77032c3cd01d6f39

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Network.dll

MD5 960f50470059381c65833145036fef29
SHA1 270e230bfc9248e5ecff9ea8dfbc5f1066df02ee
SHA256 1071f4f88c65317401bf93a2ffb55e661adcbb84f05911879ab21a6656521a68
SHA512 cb0a0d63aaae1b9646dad722759b1c53b36ed13a4231a30b054f6124bcc69e7285c5777ab6bbbb8296756d6c31fc94e735db42c5155db35274e0ec25c1406582

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll

MD5 7875aad0d0d426e9d1b132a35266de32
SHA1 8b7656e3412ae546153d2d3df91a6ff506d64749
SHA256 fc2464f62d7915ddeaebb5490bee6d60e7b42ad5a223d5812f0993c27c35be19
SHA512 9fa16c5c628f2e9b242323aed4c1aa70f093cee9f341ac61640287ff9be8663658f502769e037a8409943d3c9ab826bb1c6f88532f0fbacdaea28b2353cdfba9

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Core5Compat.dll

MD5 e50b9b3fa16362c86a40e6255c6b45e7
SHA1 fa8ce8fd6d4415abdb67597735575dc83a8fc634
SHA256 c95ab3df8dc0bfd92925b7b8b51bce859ae09008691874a5c6f5630969557564
SHA512 03a8ac0ae14e8420dd9fd91bc1619d072882d152127b3f2f1c6f7e670b7c54c524490e7c84a7cd0b76e2db413439a1ca55c4e03416fd6beb47b1067c3e960cba

memory/5104-102-0x00007FF6AEE70000-0x00007FF6AF838000-memory.dmp

memory/5104-103-0x00007FFFB9440000-0x00007FFFB9A6D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\qtlogging.ini

MD5 4995c4ae4070a861669fd6e997d815be
SHA1 aa42f6bbab438d303e6e74172eca6a0673239e2d
SHA256 fa8b3d64121cc915337b69756bd87597f4f557a802a95e953e2dfe33e40a52ff
SHA512 96a0cee7c45fb86deb02286f6994a7aa1979e69e6e0bd3014a9ed897e6695d2fa586434fc3ea9c083118f1440bfcbacb9d4bba55cbe6ab14fdb92424b31a315e

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\styles\qwindowsvistastyle.dll

MD5 cc096aea386047b0131eea248122c0d2
SHA1 6251253bbc6e4460884bfc22c1dd30cec32dbac4
SHA256 47a22e7958279e7668ace09849a669f7410bf8c7aed752bd6e60f23c9581cd50
SHA512 4b097b86a21ac26e8849bf3908de97479b3484f28a68060c06f75515b07b8878466bce4241aae6b0c06a1b671b59b5dd115c760f08dc6d3287f1b875963d1cb1

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qjpeg.dll

MD5 3aba46b716d9cb3b99efad42ed7970ee
SHA1 aeabe030389dff2fec45797f3f726bc2bfbe4f8d
SHA256 03ebe96116bf6e98fe967f046e62ab269ff863a3bf4dc9a817e0704b6199899a
SHA512 7e750950f4d9a31f56c3a54bb363711b6326ed42ac09a21da41fef5c78c18b4ab6fc21e340f7660c8a8b8444903dc52a258207abb6b40176b5142c7091a83e7f

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qwebp.dll

MD5 cee0dddffeb26ea50268414c28e656c3
SHA1 67f5c820e62c4e8bd8596f70fbf316496477df2e
SHA256 d3a1cdcb53b229040a065534465e1db27c3347b29d80417c22ccf8b7fd65a4e0
SHA512 9847e491527a81f67e6e32bb0cb27fea1785e227bd8fca3b35b1dc451cce647d9e9df23abdfeefba064f98134c3a2e3a584481625d584576aeba6ce293037847

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.lock

MD5 89ba83a9ed9fb5a969a05f7bfff236b3
SHA1 19e57366d023f1a80eda7bbd5ee9251e2c04a7f8
SHA256 cc2f0b9fdaf2bd6c6792712b897ab57774bf314305559c5367ca7aab56c43b2f
SHA512 b56dc0c87ffcb614316b49427b3866aca23e2adb7d1f85c6608ff4a389382f085a2db6727152682ece6416785ce871b1672265a2d2dc3772fe6fd33314c19e42

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qwbmp.dll

MD5 50854ae793a75bdbe0fcab1867b6f932
SHA1 91f15c56945d08d7ad54339c68e7318a7fa653b4
SHA256 92283f9f9588a12c630848c0949421dcb9aa33cd6545ff1e3e480ce3d7e7e617
SHA512 437a7626dfa90038800068e385c5bd8515f7394366532769defd7a7992593f5051314a1c77ccb9b87d47c304dfc9be62e39444250651f4c8cab9052c65ded14f

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Svg.dll

MD5 67a888c61e6f1dceefbde7287e80e59d
SHA1 4cbd1ea71ca25a6b87c64c163d1fb3e61cdacc2f
SHA256 22c48c35d9915bc89b13d2dca91c74b8531989a887faf642c795bf593e00306a
SHA512 aab6f980e0b397fd7e8823370ac398d108f20a2f5c3ca052391a7c753ef77c82d94e0a37d64bc708aeb5c95d31e534faa1a6a7582d80fc285325acaec226f1e9

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\tls\qschannelbackend.dll

MD5 8eca729b0b937a63aaa105c98c2647f1
SHA1 9a047c46345d6f0d48ed9901bf8fbbc20d902714
SHA256 f0dba9588db6f1599b0668b8b41d054e549e2b7bcdea6e5a1f36f49925d50efc
SHA512 74347a89a14c8e884fd20c860940b54e32b172edeec5639ed3c4ff9db9eea2ec2281d54facdb64d71fb1e63ec462063ad844277522c0a3162a4f8b72d18a0c92

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qsvg.dll

MD5 21d1279f76e64e42db06c9e27776d3cf
SHA1 6f24d575f44d43abf8a2ee2d9a4b7dcee1537e9b
SHA256 8878473e57bdc0a754a6df4fcdc5c13ed5500adbb0a057f73b21674514adcfc6
SHA512 1beb7d24375fe6bc6dfccf564836a77bb68679d6f7b81364476ac346e6a0fa48d1b6782f101823c51550c600940c78fee79567eca248fb3b782d7bfead7d7141

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qico.dll

MD5 c64789dba4e2aa3bddf17bfa89e7ab59
SHA1 d5914f9eede38dda3e16c4299fce8016799b28d3
SHA256 bceee911a3ffc1ed7b09a9d79374053fa813a04a22c40b0a4984b845582e3e8f
SHA512 31e5a009284867a591ac9dbce92bddbd8b914133bb03b327984edfc4c3f4329a08238b1a239e7408d8efc715ff23acfa91723720879ab8fd4a2619e948ab5683

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qicns.dll

MD5 b8466ebadaac59acc5fffb674fcc81c0
SHA1 d40349f19c85405fac6d027008a47a51de9e82f2
SHA256 79b31f4de8f3d4ae02d1115e4ec384aad568b4fba8631b5a01a578c42748df19
SHA512 ddecf05443bc19b95bbb654b7ea9417a26f37b9c8a293d16fcd6e817eb984baf0497e183acfe91096e3b1f6367e827fa3833b0a90fb964671af014c78e9c16d4

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\imageformats\qgif.dll

MD5 000b3771b3dcf0d7eb72750edd80a192
SHA1 35506ee878b8ad21dbd35876baaf586c30152b71
SHA256 6ff0b57822dae5132e1640afe4f8fd6b75e21cf3f1eae53d70373c25a5506581
SHA512 4472089f5524172fcfd8d2f8acbf67a3f22b08f788b52d8f42d2736d050cecb87215a9b8d706baca12d5916d3ff79bf57420766746c2484981d679239b3f2924

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\iconengines\qsvgicon.dll

MD5 b57d0218475b81560454e6c0a1a6d9c8
SHA1 21206763e7121d4792bbf24075c6f6e27c2c11db
SHA256 8ab3b526b35a0dec08b4042da70f942b3b5f4d413ad4035c691f972b2008778e
SHA512 83464c21073edddcd77dc0978257bf13554ef01825672b60081d9d4ee5caefffe9ed6fbefda0bc7bdc413925b9265981a994195700190cd81cf6b1c93810e891

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.zkXlbK

MD5 a6dc16331f06bc5831e5ddc9799284ec
SHA1 d344f83d549df8c3e2c959182ba37f8c81d885a5
SHA256 9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807
SHA512 43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\platforms\qwindows.dll

MD5 6031ccd3785bafba8556008cbc058dfd
SHA1 885147d02060dab7b0a124865c8116a478297ce0
SHA256 2bdc29b85bd94170f97aadb1cd447eefe7a3ddf7950c535c81a9ef63e17d1ddc
SHA512 b35c58cddc461c0160ee223fddcc181d8e6c21b5713fd8d216334b69f6ab1e4c12f4da1d377fd5b718db2c723ab20b673ab89190a3acc88d3cab03ff23bfd23d

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\platforms\qdirect2d.dll

MD5 a883645fd99ed6b7d6398e1bbc5028d0
SHA1 ab0afcb2d58df52f402c0a2a81bf3f769fea15fa
SHA256 9386b1af2adbf8972801723f7d13f394d96001e979f06dd0695622a6a3ad63a8
SHA512 d70aafb4cbc0c2f2a8fc16e3560248f867908548c7b970d827ee9ad8c7342502dcf77a7b442a06a547dda6bdc6f3673dde5f909242327161fe1fdb272575ee3e

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\qt.conf

MD5 7215ee9c7d9dc229d2921a40e899ec5f
SHA1 b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512 f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Core.dll

MD5 46a0dbd38cb28d8e79c80c9a033f6ae9
SHA1 1be5f3e78485f9b08e32346f13155a94001de50e
SHA256 225bd38093416c825f2e3220213f64e1079e9ab20f4738decc0fc6eb992e8a9e
SHA512 3fb62bce7b1d5129237914269aa3dd9a24f9e797927f2f4f937a0a291d357a40ec51b9c829094dc0bae1edcd6c580f1c9a03ca2c84d5526599c3608246f00bd0

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

MD5 8ffa98a7e6725409d8e827b628ca62aa
SHA1 df3bf2ddfe378f056be33ebe4a5ef294b71e68a5
SHA256 b6b0d0f29e3262f4e90f82bc02f156e07f65071f57b0cc40da3f733d7f89af92
SHA512 7f7b2bb4ff011d29814f1d5d53fd91eabd922d8858d385fa86edb2027d005170df833a503f6daf5d6976130789674f6a9fedd2d07255b85c950bd79705855feb

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

MD5 24afd16330d8abc16a713d5c28de2fd7
SHA1 defee48e05431514dc7cc2d5bd5c74e24f530898
SHA256 6634b52e824f9e85cb1eacaa1b10c1204f331b290d31a30f9ea658c70c3f1644
SHA512 36b6918f92b31c0f4633acd19a148e2beac6ccd10eb09bd0eaac78de718bf36592584881e74cdec4a5d9d0b21adc870e07d380c86b370d4c82800d77ea5665ca

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\jars\JavaCheck.jar

MD5 f62d3996b12c029c3a3bad80b70aa483
SHA1 5707a289a2487602e02376378deb63e75de2e83a
SHA256 885bb0c56f0657fda08ad5d46043db424e3ff9965757039b30e1a656751c5e3b
SHA512 8b952e47b1e5cc061157412771b2d4ecb3215246e43ba12bb3fd83da6f6957c4b722cc6bf77c5bd067a4b6f50f5a26a2b6542f04e7b1cc02d78b39c440d8d949

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 e41aad8e9c9532ed216d332b6c8ccb2b
SHA1 1d4e1f1bf1a59a13ab4a7fe43740bfbfa1b0dc2b
SHA256 5f00e60fdc842d8094e0d01ed1e1b632897c65a0da83727a0411aaf37b034365
SHA512 2c731bbdefa9fcbba460db5893d84b60319a8263ed9342557857b71619092c5e7246787afae1fa82e64a391fcf5e1562cf4ce0846b254ca5df032941cdb16b99

memory/3980-240-0x000001BBDE2E0000-0x000001BBDE2E1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 994b86cfaa66ece04c95f6f482a778cf
SHA1 898cd0f43a51616031bddb48b43fcda85970ac3e
SHA256 80e7930171237614a6837cd5ff62aada947d776216e85f4b25425237922d5a2c
SHA512 0aeef35af813b1d12b00ffc37bd9d2dd78b0ae216dbba48609aa4eea2e62f0fa4a716aa7610d3079cc234bf3d14c5877d594e9179e2e283f8ad3cf247bfad228

memory/1576-241-0x0000022F2DEC0000-0x0000022F2DEC1000-memory.dmp

memory/1312-245-0x000001A9DA690000-0x000001A9DA691000-memory.dmp

memory/3528-246-0x00000205D7970000-0x00000205D7971000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

MD5 07b3e2d7bad863113668ef034d995e7f
SHA1 346866d9e08e4fe02f05c17f8125bfd9f6da5f77
SHA256 1af8d09466a2cc9c202dba60365c64166fd49f5dea206e618a11fc9b17dd5c17
SHA512 cdd31988faed3663052d7342aa5c8ccffa4db0e42165f58ed767e02213025273fe9feb66b56bbd52c08ec41018c1f4175319722124b6318ef1eb5633b624745b

memory/2632-263-0x000001DE93FF0000-0x000001DE93FF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

MD5 9414c8a3dcd525b774749828b6bd3809
SHA1 25984d5f65180f6d76679a1b64f19c5aa6583600
SHA256 29981bdfa14ddc1b4959ecad62f1450431bc7cdbcf5e524c1329ff36991aea81
SHA512 08d5f834bc167c9e85c96e09bced3f9ebf5b80aaf5f7575fc6d3074ed5bcce7ce3963fbf0302195f61ed2800b13677415c974e978e882574c69a8ffc5708a68d

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

MD5 6c470a556503e4e5ba518540f49d7f0c
SHA1 9318028b0bfd4297a99bbf3c020cc079358c8572
SHA256 bfcc8327a9583b60f543a2c05926a961872f7b5afe320feaf3f6c43094768a56
SHA512 be1d231a256637d38f44e04da061aed71221101c1e50737349210c16cf7bfc8d33e028aa1f0e5327f6607da883e40849280c778833454fb86eedd22b75d7f652

C:\Users\Admin\AppData\Roaming\PrismLauncher\instances\1.19.2\instance.cfg

MD5 782d0b785a366c2978e3a6dbb87d4e49
SHA1 121f2151c56ae721eb277583975fe867cfa504e9
SHA256 711ae2efcfcb09ac07bbf5e885eaf2377b85deb02095e0a422d4cacfa4005ad3
SHA512 39f6c2b6870a8cf9e438525ea5ddca450a896f8a6a0337f1446dd46695357ea73f4b4940cff6d7bfe7c6a9c98727c75fd157b4b7fb6929b0e30bf109ea2f2809

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

MD5 4e1a05116239c483261b3140aefc5b6a
SHA1 2e35bbb3701ca3de454d201e152cdc7a11132ff7
SHA256 3f3114709078c64d4a69c861b3dd1b132c057358c70590c6a060e27eaeb31551
SHA512 efa145d4bf91cf549268ee826228364cb166b13e555ae4e560140b0d60ba33122e737a7a9f5412bcb8a9fa1e2843db3a82a7260d05c89b9b6309775e0fa69e3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_752_BGKMVQLVOWBDFDTV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 debe40e291fcfadca27f395549d6474d
SHA1 123ea65d0283618b9a21b266eefb3448520c48d2
SHA256 c239e1cbc2538e7f836f47b3650b74ad37684b20ca68a62f90c9fd695a0df655
SHA512 5a0c4f92d848521e9fd1f89a43e93b744fa3b6e0c37213c1a8acd9464920b759fa82bfbf8994d77b3b2b94a3ffa4f001cb8f3f5f6669a70b53851da0cd735f28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 e7b69c12cf8f3d6d51d6dd084612c7f6
SHA1 446dabac898c41b07473b0e1ef822cf7f52955d5
SHA256 ce1d98629a5ee640e18a270f48316ab3056255b8d6350313a3048832872ce900
SHA512 5184c6f376eb6e669b86752bc6c19a1e1c055e4a18b6238e2f68f319077e576bce3e032368ab960d20338c447e1d7c3149c2591ff9d691ad33e62d3fe552e3a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 28e95c41a4c4496a49a9ebd3edbc9273
SHA1 17e3e00951434eaa12b7bce70fa3f76692561e51
SHA256 61812bd9d31c36222827606d7606e1c540bc39e45cb1dd7df13520117ea8de97
SHA512 a0304e08ff56179bc9a258409c67614800b980688dd2d1b904e293d333a72ef449962afb774b00c075380ab113c3543958976992e7994a9249312d419429e942

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e9f5f4cde5295c5d8c7f5ed38c3fb325
SHA1 9139243161052702572a05e9b9f300ef4f720036
SHA256 6a174f087d85ffdf8349420cc927f1240f4ae34cd89febbbc004e48d9359570f
SHA512 0d45306d75b8f9acd7e4859ab441a18141efe9f2b20dc0cdb35acb6aea2a93e7095f2490bc23ba41a792d664d5243fc3cc720e35e0de9aad4f490fbbd6e517c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2a64aaf446f717c33ea1f700d3e0b368
SHA1 dc1d135b72583c4be53a6a9f1b0651a9a15f3e62
SHA256 6db31c58a051a4ce6e21c70f0e78d0e627caf8b128334be42e7f9f8b3ff80351
SHA512 5f6a2fff11270bb872ce31c7fff9eb0589cd3911e96b01e9b1dc9ed2e3fa55570dac2bfff2592273ee450a3724fdbafe433867f487b17e75a251cfc5cfc26f9f

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

MD5 f455491c75994fbc8ec243dc582e3024
SHA1 d144670e00d3d8e784b0307313089c54776c15e1
SHA256 654f08917609ebf0a027d80e6c4a87c474fbc7d0f8906bab84ac5bdbf7b4f174
SHA512 0d3b8690530c9c051f25f23d1a69a8f79b37d2cd7d91ccdc2ed47e0cc47dba4318247050c3052972b7fac276f63b8b0c0922856ae26e05694f40ed8ed0997275

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 74de369606665cec325c0f12e022adad
SHA1 c3c75ed11015de5c85234a30b5c7d35b26f418e3
SHA256 0d50d907c84a0b9557fa7cf043621829de6a3403df914a32d4c9db15dfddcdf6
SHA512 4ac4d164b217cadaa848d0b588d163c02dbba08cb6193d3c58043063a506aeb0775e16fd1d193c23f6bae4ab187159e85d8c923128b609ec38940e06f417b389

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

260s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Gui.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Gui.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

301s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Xml.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Xml.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qico.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qico.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240226-en

Max time kernel

231s

Max time network

299s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Widgets.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Widgets.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qicns.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qicns.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qjpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qjpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240508-en

Max time kernel

300s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qgif.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qgif.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 40.79.173.40:443 tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

275s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qicns.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qicns.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qico.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\imageformats\qico.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TaskKill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\curseforge\shell\open\command C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\curseforge\shell C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\curseforge\shell\open C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\curseforge\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\PrismLauncher\\prismlauncher.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\curseforge C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\curseforge\URL Protocol C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TaskKill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Windows\SysWOW64\TaskKill.exe
PID 2248 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
PID 2248 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
PID 2248 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
PID 2248 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe

"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.3.exe"

C:\Windows\SysWOW64\TaskKill.exe

TaskKill /IM prismlauncher.exe /F

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso8BBD.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

\Users\Admin\AppData\Local\Temp\nso8BBD.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

\Users\Admin\AppData\Local\Temp\nso8BBD.tmp\nsExec.dll

MD5 b4579bc396ace8cafd9e825ff63fe244
SHA1 32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
SHA256 01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
SHA512 3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

MD5 289255ff339b0ff529f43acb848b91ea
SHA1 a1312d501279095225ce6fd1824abfc50d884791
SHA256 ef302e37bc7f02edea74acaf614ecb71a6aa6f8e703db6811502169c2102c7ee
SHA512 ca782bbbd5bfd39d3b7d21f9b6d8089d4fb2c3474b1045dd6d49512b3d146b6f57fe701c26c83043cf10cbc1bf9127ee78d10775c3716a7a1f578cf0481a80f1

C:\Users\Admin\AppData\Local\Temp\nso8BBD.tmp\modern-wizard.bmp

MD5 cbe40fd2b1ec96daedc65da172d90022
SHA1 366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA256 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA512 62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll

MD5 34abb42b63e71b09b72b48cf5b1dba53
SHA1 9f3111aab57a5f28a4ce9bf82ea208fa3eadb9a6
SHA256 c71e65b882a84f47114590784a256f14ba19202ec30b218ce4841b2c7256060b
SHA512 06acab5a04a5d3e6834ddc95229758d4adc7a7f0ef003c80e8d59a8241e295b196aceacce20c88879e1676405a2538d032ec6ac543258538e686878fb29f77f1

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll

MD5 7875aad0d0d426e9d1b132a35266de32
SHA1 8b7656e3412ae546153d2d3df91a6ff506d64749
SHA256 fc2464f62d7915ddeaebb5490bee6d60e7b42ad5a223d5812f0993c27c35be19
SHA512 9fa16c5c628f2e9b242323aed4c1aa70f093cee9f341ac61640287ff9be8663658f502769e037a8409943d3c9ab826bb1c6f88532f0fbacdaea28b2353cdfba9

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core5Compat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core5Compat.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core5Compat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qt6Core5Compat.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-10 03:08

Reported

2024-06-10 03:23

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

Network

N/A

Files

N/A