hxxps://drive[.]google[.]com/drive/folders/19vIUb8PLsRoYyfxQ26DEu6f-Imgz4oGN

Analysis

max time kernel
166s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/19vIUb8PLsRoYyfxQ26DEu6f-Imgz4oGN

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vc_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	prismlauncher.exe

Executes dropped EXE 15 IoCs

pid	Process
1816	fabric-installer-1.0.1.exe
4136	fabric-installer-1.0.1.exe
5980	fabric-installer-1.0.1.exe
6040	fabric-installer-1.0.1.exe
5248	fabric-installer-1.0.1.exe
6104	fabric-installer-1.0.1.exe
5712	fabric-installer-1.0.1.exe
5784	fabric-installer-1.0.1.exe
5852	fabric-installer-1.0.1.exe
4084	PrismLauncher-Windows-MSVC-Setup-9.0.exe
5828	PrismLauncher-Windows-MSVC-Setup-9.0.exe
648	vc_redist.x64.exe
5760	vc_redist.x64.exe
4876	VC_redist.x64.exe
5248	prismlauncher.exe

Loads dropped DLL 33 IoCs

pid	Process
4084	PrismLauncher-Windows-MSVC-Setup-9.0.exe
5828	PrismLauncher-Windows-MSVC-Setup-9.0.exe
5828	PrismLauncher-Windows-MSVC-Setup-9.0.exe
5828	PrismLauncher-Windows-MSVC-Setup-9.0.exe
5828	PrismLauncher-Windows-MSVC-Setup-9.0.exe
5384	javaw.exe
5760	vc_redist.x64.exe
2688	VC_redist.x64.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe
5248	prismlauncher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{804e7d66-ccc2-4c12-84ba-476da31d103d} = "\"C:\\ProgramData\\Package Cache\\{804e7d66-ccc2-4c12-84ba-476da31d103d}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
10	drive.google.com

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e592961.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e592939.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C36.tmp	msiexec.exe
File created	C:\Windows\Installer\e59294b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}	msiexec.exe
File created	C:\Windows\Installer\e592939.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e59294c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59294c.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI361C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39D6.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EE7.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Programs\PrismLauncher\vc_redist\vc_redist.x64.exe:Zone.Identifier	PrismLauncher-Windows-MSVC-Setup-9.0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3856	TaskKill.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E1902FC6-C423-4719-AB8A-AC7B2694B367}v14.42.34433\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\curseforge	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Version = "237667969"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\PackageCode = "C115E40EF1D73624BAA68F6193F24D7D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\curseforge\shell\open	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34433"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Version = "237667969"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\curseforge\shell	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\PackageCode = "C029B57ADC55135439F2BCC435C9148F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{382F1166-A409-4C5B-9B1E-85ED538B8291}v14.42.34433\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{382F1166-A409-4C5B-9B1E-85ED538B8291}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\prismlauncher	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\prismlauncher\URL Protocol	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{E1902FC6-C423-4719-AB8A-AC7B2694B367}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Provider	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{E1902FC6-C423-4719-AB8A-AC7B2694B367}v14.42.34433\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\prismlauncher\shell\open\command	PrismLauncher-Windows-MSVC-Setup-9.0.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.42,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6611F283904AB5C4B9E158DE35B82819\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\6611F283904AB5C4B9E158DE35B82819	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6CF2091E324C9174BAA8CAB762493B76\Servicing_Key	msiexec.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 637495.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 105940.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Programs\PrismLauncher\vc_redist\vc_redist.x64.exe:Zone.Identifier	PrismLauncher-Windows-MSVC-Setup-9.0.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5248	prismlauncher.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1760	msedge.exe
1760	msedge.exe
2444	msedge.exe
2444	msedge.exe
2772	identity_helper.exe
2772	identity_helper.exe
392	msedge.exe
392	msedge.exe
2800	msedge.exe
2800	msedge.exe
2316	msiexec.exe
2316	msiexec.exe
2316	msiexec.exe
2316	msiexec.exe
2316	msiexec.exe
2316	msiexec.exe
2316	msiexec.exe
2316	msiexec.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe
5416	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5248	prismlauncher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3856	TaskKill.exe
Token: SeBackupPrivilege	5912	vssvc.exe
Token: SeRestorePrivilege	5912	vssvc.exe
Token: SeAuditPrivilege	5912	vssvc.exe
Token: SeShutdownPrivilege	4876	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	4876	VC_redist.x64.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	4876	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	4876	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	4876	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	4876	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	4876	VC_redist.x64.exe
Token: SeTcbPrivilege	4876	VC_redist.x64.exe
Token: SeSecurityPrivilege	4876	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	4876	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	4876	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	4876	VC_redist.x64.exe
Token: SeSystemtimePrivilege	4876	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	4876	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	4876	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	4876	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	4876	VC_redist.x64.exe
Token: SeBackupPrivilege	4876	VC_redist.x64.exe
Token: SeRestorePrivilege	4876	VC_redist.x64.exe
Token: SeShutdownPrivilege	4876	VC_redist.x64.exe
Token: SeDebugPrivilege	4876	VC_redist.x64.exe
Token: SeAuditPrivilege	4876	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	4876	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	4876	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	4876	VC_redist.x64.exe
Token: SeUndockPrivilege	4876	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	4876	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	4876	VC_redist.x64.exe
Token: SeManageVolumePrivilege	4876	VC_redist.x64.exe
Token: SeImpersonatePrivilege	4876	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	4876	VC_redist.x64.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeBackupPrivilege	5700	srtasks.exe
Token: SeRestorePrivilege	5700	srtasks.exe
Token: SeSecurityPrivilege	5700	srtasks.exe
Token: SeTakeOwnershipPrivilege	5700	srtasks.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
5760	vc_redist.x64.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5376	javaw.exe
5384	javaw.exe
5288	javaw.exe
5280	javaw.exe
5384	javaw.exe
5376	javaw.exe
5288	javaw.exe
5280	javaw.exe
5340	javaw.exe
6004	javaw.exe
5600	javaw.exe
6120	javaw.exe
5732	javaw.exe
5340	javaw.exe
6004	javaw.exe
6120	javaw.exe
5732	javaw.exe
5600	javaw.exe
5384	javaw.exe
5384	javaw.exe
5384	javaw.exe
5384	javaw.exe
5384	javaw.exe
5384	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2500	2444	msedge.exe	83
PID 2444 wrote to memory of 2500	2444	msedge.exe	83
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 3712	2444	msedge.exe	84
PID 2444 wrote to memory of 1760	2444	msedge.exe	85
PID 2444 wrote to memory of 1760	2444	msedge.exe	85
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86
PID 2444 wrote to memory of 4040	2444	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/19vIUb8PLsRoYyfxQ26DEu6f-Imgz4oGN
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4fe646f8,0x7ffd4fe64708,0x7ffd4fe64718
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4136
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5160
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5376
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1816
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5152
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5384
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5980
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5996
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5288
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6040
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:6072
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5280
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5248
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5148
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5340
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6104
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5536
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6004
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5712
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5816
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6120
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5784
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5944
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5600
- C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe
  "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5852
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-version"
    3⤵
    PID:5972
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "javaw.exe" "-jar" "C:\Users\Admin\Downloads\fabric-installer-1.0.1.exe" "-fabricInstallerBootstrap" "true"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Users\Admin\Downloads\PrismLauncher-Windows-MSVC-Setup-9.0.exe
  "C:\Users\Admin\Downloads\PrismLauncher-Windows-MSVC-Setup-9.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  PID:5828
- - C:\Windows\SysWOW64\TaskKill.exe
    TaskKill /IM prismlauncher.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Users\Admin\AppData\Local\Programs\PrismLauncher\vc_redist\vc_redist.x64.exe
    C:\Users\Admin\AppData\Local\Programs\PrismLauncher\vc_redist\vc_redist.x64.exe /install /passive /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:648
  - - C:\Windows\Temp\{413ECA2F-2033-4092-8CC5-BA9BEEC54C1A}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{413ECA2F-2033-4092-8CC5-BA9BEEC54C1A}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Programs\PrismLauncher\vc_redist\vc_redist.x64.exe" -burn.filehandle.attached=688 -burn.filehandle.self=736 /install /passive /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:5760
    - - C:\Windows\Temp\{77595059-3500-4A20-AC63-BD34FAD9D54D}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{77595059-3500-4A20-AC63-BD34FAD9D54D}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{94B28B90-60E1-43FF-9713-45016B20779C} {3A026897-E45D-4456-B3D8-C77BB38CA901} 5760
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1200 -burn.embedded BurnPipe.{808C3394-70CB-4C4A-A28A-E90F93F8C06B} {35DD78B1-0E08-46C1-891D-153ED9666535} 4876
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=652 -burn.filehandle.self=672 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1200 -burn.embedded BurnPipe.{808C3394-70CB-4C4A-A28A-E90F93F8C06B} {35DD78B1-0E08-46C1-891D-153ED9666535} 4876
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{C79EE9BC-F651-44A8-9655-CE3594BABBE6} {A635CE1F-41FF-46DF-9255-F1C2FEF4CD49} 2688
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
- - C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
    "C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5248
- C:\Users\Admin\Downloads\PrismLauncher-Windows-MSVC-Setup-9.0.exe
  "C:\Users\Admin\Downloads\PrismLauncher-Windows-MSVC-Setup-9.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16495544664915519212,5185667055803801075,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59293e.rbs

Filesize
19KB

MD5
d047c586dfab89764f35bc3efc1bc705

SHA1
dfc158168aa66f666bca2b4d934fac26f342a724

SHA256
9ed3f437fe04ec99e7ec01721ec2ce5a08523e7132033c595b9ecb9db55a8b7b

SHA512
9c58f779fa6c8fcd41f6a2fa601e5929746cd5d17f17ba09af425365cb5f6518143ec91b292b627ddc4cbd15f17a0affd16338dfe3ad2a0bcee11163ee146d8d

Download Submit
C:\Config.Msi\e59294a.rbs

Filesize
19KB

MD5
7cbebd44545cb7cd4e7a85f91987a26e

SHA1
ab9e591c080e63043c0bf2c35f9438069c377396

SHA256
5fc143d7b56389e0ccd3cd64d5291ea7f5f745be4021d94f8d79c4455c342793

SHA512
4f6ffd037983877c8e3380a8661637244adeb91cbb094b8f6415e4f1d2ebd51191bb35ceb859b5de40dbfce5fb24ab1a7dcaef6cb74849efcb7894d909ea4b25

Download Submit
C:\Config.Msi\e592951.rbs

Filesize
21KB

MD5
1cbca805f22e94848aac7a4e8387b4b4

SHA1
fa9d68be9c522b7bb852a8385843bf601da954e6

SHA256
972d22e081d10f0aafdf1a5c8bc432579d4beb69faa5385807d0bbca68c7303a

SHA512
48075c214d95c3eb40327d97c9c698d182b1ede54706c319f044b9519944c551beaccb20689fda33bfcbffe5af7d81c8a8417bda6e64a04263c019f9019f3b00

Download Submit
C:\Config.Msi\e592960.rbs

Filesize
21KB

MD5
8d08f3e8b94bc48928ac30074a4a0c29

SHA1
e255ac9da720c045127dcb81664a8121976eb10c

SHA256
21c774c803b5ff47015a82574646644e8af16c4495d7e17fefab2803a26b7f02

SHA512
ac5d2f975352e8af574df9d09b11c9f6f8836e962929240208178be21db729588889a475e5da0bcd360fe4721c3cf4ef1d32a81c1d733258aec063c0c2a8d77b

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
147d33cdfc69846926f0a6fa42f26a2d

SHA1
b1c8355efa136615af4ac2d4f66658b1fb3abcf2

SHA256
e5f2e91734faefc8f0ae14e744619d70a9333004cddbb7730ca003a970829078

SHA512
b40574fd1e4151c0727103a10c84e4b5556bd36ba0a60976a55edc7ed6c88776af2b04e5f1e3b4968ee6425f2aebd392c4fbcf2d94123795fccbb6f9364c7830

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b453d95044c3cc7a2e4365849b825091

SHA1
ba67d3cdd8dfdb5beea351a4e0b088cc5c7da469

SHA256
f762c1392da81e060eb7db29cf639808c21c7ea9842788eac90d8bf2222b2703

SHA512
c8151d9c831ac927d7b8fafd474435ae208bd8e2dd253a48e4ecada7117cca279f68cfe4a996164dd3f172ba6dff71542aaf3b6812ab9ebb606c15417ebe5a91

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ee0b41d9428ae6b89e2967b66b270dcc

SHA1
3df2201545123d4446ef5a0f280cf3c36881c94a

SHA256
a2124c3a81d845954fe67daf1fefe711186621fcf923ddbc4875ce37a3275090

SHA512
484694b293910ce8eec2856a8b0166dc3bfcf1df56943f4c2f788d92943fb39dc95108528b03214f797fddd024ba0ab547aab0b33d6767fe631944f59c7fefac

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
352ff18f5e2edeb70830b9c57b904f40

SHA1
d3ef367a859c905b21fb3fe457c2ae315ab28567

SHA256
db1eedc5fbacedf4d50bc32901d73783e36dc41d1374201c7c1d74541f4c4c10

SHA512
875e7e5381c7b786bb67a1487e756ccccf6ecd50c99b211f118fa91f811cd809abe23162fdb18c46f9824a8fa7f8fc06a266ec52a71edc77da6bcfe22b1e2c37

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a88932e59d4605dff3dacf53cf436a7c

SHA1
ca967216ca4f24dc6eb72602f7aa8ff3b208a25f

SHA256
fd4d4f7fdb5116932cd6f4f87ab02fe19e6e2ea61b5f853a37bd1f32d035f959

SHA512
a8da976b0bbc5830c102c651ad7d9b40e5d3022fdca514236decad1d27ae67870522436f1eab4f25434f3ba6e62fc67cdf05ffc075addb375b441e049c006e9c

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
75eaa3751c47aad3e50d035cf5d4578f

SHA1
f7a641156531cd4df8f5e135aa9cbd497b59e234

SHA256
a05c6525d06102ae2609f26cbd33ab67084170c34163bc0e93d3eb60109e1a18

SHA512
6cf0f31e1216d5fad83220f1fb4d38ff9b878e07ae8adbe48b3dd193366393983c75e2e988f420aa0ec1d6f2dce430c8d4d06e681baca04daf5902a756abdb7e

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e0166e771da0e1c9323309a887738c70

SHA1
0c2c49755ce21e2a8b7f7c7e8a545ab462d30bc7

SHA256
2a7ef4e140de9a09302b0054bf88d1e00c030a7dfc744a90f946b72b54d448bc

SHA512
6fb9ce14e3f4ce2f45d2269634b44c2128df4995b0938feaf657db32d4a30de1b8291ebb5467d223874283eb505c6eb69d52c4ab4d46156ef02cb73dcd42bbbc

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
db5913047a147e84c07b2f63f49adad5

SHA1
dc7604ff00bfbffb558c80015c485631965a3abe

SHA256
d7e8ae0f51315bdb484ea580fd2f3fc4a6a7e7c0ef81676c973909fe232312e3

SHA512
5ecfaa41914dc7dd7e436344da79d58905ad19304fe4cd5b67b8a0132421855a960412129ba3159ed73a33fde23424ed9d93697e5243a0d8049ad55aa57adb9c

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
2c5309881ae1aea5457b5023ca713cba

SHA1
9cec7eddff77076c80168e43ec0a01952e49495b

SHA256
337424963b6bf52f14cc5d4981ac8ed36632464a2b600e30bcf6edd138522d9b

SHA512
4abe0a64f76fb219702cbd7a79409f41c16bc02ce2fb5bbcd0b3834a79aa01ed9d3f6ba66238f789a3907dc055edb190d66b17feb0d9e8f8243cb00d5dc7fb45

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
219b1a4b699846e4117e98dd5168b85f

SHA1
355179a492058c12c2f1659fb27cac7683a07db2

SHA256
feb452015e111bf7c61d39eadcca055eb6a9ad3469bad75b0302ff2ae4c2a2f9

SHA512
16f2820fcc8325d704abd33408c9b34d55dd2600939afca1a25e4b481c87d61e2190ce1e6fae528705b17ee4c38f8656744a8bb2cc73b00a04ac62af8147ae10

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4d963332f0a71fe6fdf4623a92acbe81

SHA1
7c7998b774a46f583dd0594da595167eb5f8dce7

SHA256
9b607ea4ec8c4283f1ed3f38768a90e6dd00f6fdcc6204d456ee991373782410

SHA512
d12afec4e7a1b8e5a1340d0b7aa4f610b31bf2d7ae4e7fd83107ac70b8471b3a9910c3d98e4154964bdd6d60c21d82cb6aded2880c503921b6e7d0e88d69d651

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
39f69bca09bd7d406fe1ab669370393a

SHA1
e672a9e5885a654eacc546c5c35e90f806289045

SHA256
8b4e936e63f9340b984a90c578ec84e85f456c07079ba0e3ede8a72b3f4405dc

SHA512
9e22ba4648cc42a9be6e8bea47e7fa64ea9b259e570ccb035be281c3412fbe8d80875af7daed9ee80fb87a51504b09a6a8bb88398d83cc5155404fb270c7a5bb

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ca24928086d5382fdefd2bbc87607460

SHA1
397911108e4f0d1bff2e3ba18fee2b295efb008f

SHA256
23be33ade2dfb70cb63f73a7993400e747f0362b3ed4b118b4ddde1ae87fb1e1

SHA512
983bb8432d26f2a6b81dfd233f64dcee8b9aa6ec72692fe0536571854fef13970fd30cb7502c6658217abdeb892327e8691080385bb4c865f48056f69e08e1f9

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
766ed8ac280d7f7e4a2fc9863b93d416

SHA1
5f5af8b5ad788a60d8e9a2c8c8492c63b124652c

SHA256
684ea0a0d36bd88db4f9b354053f3cdd8dee96205a8bd8aa105f88a32c2aeee6

SHA512
02044a55c9c1fec4f6c96f9483990cab8f04448047f9f2de3b813a2c076e98a54854bb6e17594f5de3b2d5d70743989a3fc250539414852e21771cd53e18ef40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
33KB

MD5
8d3c9ad0d2da7700f9f4025d78a020af

SHA1
850f31105791ca8120baf53e0c6e2407c2e46f92

SHA256
64bcc7f9c6d4b9ce6c38ecf0400da133c58afa82fc8c24ed1f87f27d7f215e26

SHA512
7ea30fb996929aa21a045b468bb098be755ba348b9339a82ca4b80644a002cc79015b4e664969458d03d936c692e0407520387e10a3d9d5bbd7cdd92986d895e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c6aa50207f3ad2b720d5b02ed7efb7c1

SHA1
1e14d530a0f7d6f7e8731a2c131e62aa18467089

SHA256
8231db39caf38a112046ebd13bafe5d7d48061a7f2912bf9c9ef57cef477a18b

SHA512
a10ea50bce4e871317a33ef04c974460339667c7f7cf2ac8a80236b0f9e1e72e09f21516158523fccc0a51a52a64499b3cc357625ed44ac274a1a341afc09a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
775285e55e419c8abc2c1636e11fe024

SHA1
75be2c5a2a06d78e8ae8f889408e2e7fcd3cf204

SHA256
089b77e6df5fd781fbb15c50f7ded6dc5b82c425acf5ee9b577ca3174afdd37a

SHA512
38ff602f2337f48dde8e93ba81f03f95f5d24a4861576ea84da1f55cf81e3d306fe17f870ba70d9142f1beab402a627da3b3f46bb3834c10a1afa9538e477cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e97e5a89cf2ef4f437a2dd655d0754e1

SHA1
38b63c745a19348960136174d76a11f4722878e1

SHA256
29abf3220f6de864f9373d47d9be2aadf9775767dfc2bd1e25301474360d1906

SHA512
10a30033cd7168ed3488c355c8c718d8ba5da917263358af3e34a8129af62e11e395b732bcf9f4656a765b1fe4ec9037dcb57f0db7044e549877414bc9235e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62c5d2670ceb8f4b1e2bd0141522d200

SHA1
faa374c8235e63c466f6fe6b1e28404f7118900a

SHA256
b8ae5e0941a77cffafd1aa4ebd21e3b7c185939f06c2c2d71bdc1779ffee7f91

SHA512
87f37fe022c4934de80884109afd8ef0613de0d97f91cffb0e4608732ec022e497958c7f53a9e818fd75582d281338a650a390ef6f1ef016270d2d653d58ef11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b9d7579fdce052a4687587e934ef3c2

SHA1
0738e31088f89a3fb9609900fc581ff17ae427a1

SHA256
4eed86d14a323b171f5c64d12c32c0eb3921f49cbe69456b1725f891728b4486

SHA512
09b830ba3b9eeee3d719a8ea8f7c3118b22f072de98834c9db354cc32007234192443f02c05b0ca2f23e186f753fa407951881c288a836e247738d2652127acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
409e34fea300a6af17090d5c0925337b

SHA1
a6364784ec09efd8ae3c5a931cd3748b4b7051ab

SHA256
b40f6f1ca06235532b4f9c7ad3b506b686cb0db36023000757045e0a8a972e4a

SHA512
2aaedc10efdd64da8566792779c2481f998f19f6feba0ca50e9dd0bf1496f94fa062205c29a26c8bb832dcaf86e39bd0b7e83c85520e08409b5d35f611abb0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c63aed477a9106fd6693bd2568517b89

SHA1
8c97b652153da3159f81370fe5041a4a6ce3af7f

SHA256
493db3b78bf1321d740a4c7eefdc8354353fe83d9be6e73552f2e7477a3b2131

SHA512
5489415e996ff1e49b2250c7e27a05af2e83c95762b7c0bb266d924e10787475d96e5d7441a31833a5cbedb6eb5a0f2519ef6cb8ae1f90517272ecfa2f3d5b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cf6e376a798fbf3ac6306955367ea75b

SHA1
93ade04918c77f90d3231f4802f76a1508e6f782

SHA256
90d7d524a3ee48ba4124831919a6013384c3d28cecc5cf1a9a8c79f044fd08bd

SHA512
55493bae632d3318b1584da3900055aaf641e36fe30f777ccae8eadb486c0fc936123b586b801e4e3568b5d3f0c950130658d180b82f6de19d0814aae221d64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
92cb7916e3b0b1337582e088e0ea217b

SHA1
a13dfeb3ab846be7ad38ef5f919accbb269ce275

SHA256
8d50a9e25ede7685d33ad57a6d521828f64d4196a25869cf469b19fad5f28f60

SHA512
8b29991f4a4ed54a3f95a7876f26fd3ae69b289cf34eccae367e036ddf4727214445e6bbc27c6f561607502ef531f94782eaacd23adf97ba7aad063dc7b65431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583ef8.TMP

Filesize
1KB

MD5
92dfe7f4b4c3bb74c3e1ab63cda23068

SHA1
993ed3d317ad187387dd0ad9bd306062fd0f558b

SHA256
c4638546de4169eb5fcbb3db88b965dfddcc117ed612aeecfb9130a6f23248f7

SHA512
e8279987aefd72943a3c5e1fca2f45168001dfd68d49e038d2ab2b1a730573fb4b1a51eaf9ca6e402d34a7e16337b1040eacf85ab3aaa4903b55da4e71b1e899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1dbd1a4323e8c567619583f768811afc

SHA1
22b54f37a99253392105490023a0bea568c6d37f

SHA256
281a96971a02c519bf4ad8edbbceb4bc53c000e3d40cf61feab7384dafed7715

SHA512
7bd31aaff0c9b34c1c526e07cec6903aaed844d5a6b99729cd87a7e1c6b6fa58a7166a61774cbeccc01ff7e9aa8c39cee3e2f3a13ffa56f99162ce5ccff80891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ce0ef2301bae67ee53a73252c277d4e

SHA1
95c8d80d435459693755f324738c65853213abb3

SHA256
1f762c73bc6f586df8eadbd47989f103ee6db481cf2fa61b05e8e849db35d291

SHA512
5da26ac8372f0ff1e255eaa4e93cc5376ee324dede460a3948fde87a639656ab9d7f155616ae905324724e5c19684d0f9ea8fe27cfc4318160085ce33f713a55

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
10.2MB

MD5
2c204b19004f1d160d2d4161cef9a05d

SHA1
27b688d753b99f0c343f664daee880998a348732

SHA256
f9ce59d115969877f52211a975367f13b102cf008c194133cdfd37eb7e4d7096

SHA512
b48d21283f495ae336cffb329490f2d2e1ee25da3fa7c7561e5c8c9a1be59e507e2027bbe41d01b7a9416d1706ef337e0870a7a20b73463c906bda943c232f73

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\vc_redist\vc_redist.x64.exe

Filesize
24.5MB

MD5
223a76cd5ab9e42a5c55731154b85627

SHA1
38b647d37b42378222856972a1e22fbd8cf4b404

SHA256
1821577409c35b2b9505ac833e246376cc68a8262972100444010b57226f0940

SHA512
20e2d7437367cb262ce45184eb4d809249fe654aa450d226e376d4057c00b58ecfd8834a8b5153eb148960ffc845bed1f0943d5ff9a6fc1355b1503138562d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fabric-installer-1731927596.log

Filesize
970B

MD5
9bbb93c7c752a125cee5c782aa3dab0e

SHA1
fceb4e528e948a5301af49d289b274d5eef4282a

SHA256
84a56c5dcd6d2eaab84804ad2ea7922bad1899e7b465a975f1dea9dc76d8c7df

SHA512
37a26c46eb8465ad811a589caacc754185729504989d7c3666f03c3b51422113d0525e748660a1fb49ef4eb8a31e05eac1d1ad8ffc4194446d2e4abda1257e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fabric-installer-1731927599.log

Filesize
1KB

MD5
6143bee23d4e10542135a079f7da7419

SHA1
4a289543d73406ccde11b619766d9562dbe5623b

SHA256
072a37f407cc4c1a35cad9520ccdca58ba144b36da92db6485bf5c3fbc0c0081

SHA512
31157ed2a4d51e5f20f1b7ea7fbca4f3fe64930a9b97883edd69b7f6c28e366952689dba082ac0434e13825e0dd755828d775a49f28d9c5b4cd42098dec88fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fabric-installer-1731927599.log

Filesize
1KB

MD5
945486a39345e5697cf90a4f5e70db1a

SHA1
d164b8c2cd2d1932aa2020a0430d9f33cdceb2c9

SHA256
86696a5e5110861e19a17ec5236f1e72a9d304b1cb7a767544e4fdfec8bc5458

SHA512
afa6746fd030ce476ebff34abcbe7fced6f79b591d874605153557906c6b8f4d6af50f5defd70fdfbf5e2bbec2ac632c60de9e8f08f4f3961dff7d49830b30ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fabric-installer-native828409193221643389.tmp

Filesize
9KB

MD5
2a4edd64e186969b56c571c6889b450b

SHA1
6dffeccb4f7f65d0fedc965bea8e1494375a3d9f

SHA256
32a9cbd598dfd72ee53e60c79c195306afd19acc65c8fc1db6d33833d1550f25

SHA512
e3ff5a86dccba08caff1ee17bdf9a33a1e0a43e0ab669a23e0eb8f9d8f85d1383ec959d7cde6ef6b40fe58ae02a795761fdd36769aaf202c0ff5d2eda1d1510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC11A.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC11A.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC11A.tmp\NScurl.dll

Filesize
6.0MB

MD5
bf43de0fb8a2c38abcf7b1cf6be7e7ce

SHA1
5c14855ddbf563da3bc14af40ea5650d627ab81d

SHA256
d9438094e22bd3183864b712e2cbae07f6b184a5ad7b018185e425e215feaca9

SHA512
145388afde1367253d723ea78501dfd61ebcfb17d440d324dbceb5d9b1c50dbd5a69946209722396f1d0f3699dc967bedab690dd670eedc9910b75a4e7d13830

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC11A.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC11A.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\83aa4cc77f591dfc2374580bbd95f6ba_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

Filesize
30B

MD5
a6dc16331f06bc5831e5ddc9799284ec

SHA1
d344f83d549df8c3e2c959182ba37f8c81d885a5

SHA256
9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807

SHA512
43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.lock

Filesize
66B

MD5
2ce7ffc0b82249099da9d735eb246746

SHA1
4a5a226296ef9af703d6740def5b41b9747d4fac

SHA256
dc05832d4578ffa103a022321f08edfb3321aa58b6e8d08139b30bd4bd7fccd2

SHA512
6b18bf6564e8ffe3e0edb20a22eab4883f502c23021e1a87644d53def2eb42a3c6d565bdc498c2405bfc88847aaef227a00419ef05dbe70bd520e2a9fe177725

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 105940.crdownload

Filesize
21.3MB

MD5
e4344090fe89f0aa45f0bbbf0de70625

SHA1
00f929602666b10568d53ddd66efccfa59331f6b

SHA256
24f0bce3ce086bc0c32b776d6ac4fe72f38b59a49168195d8f46c13121dff294

SHA512
1b9b987c49ac5de50bda3fc2d30300d3cde974cb4893f1937a0693ade1f36f836f5ea890c813668fb40dbeb2f2c3431359ff3092bd5493f3a4e9f211baee4150

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 637495.crdownload

Filesize
449KB

MD5
7f0502234a4af4bb9ee0b35ee38b8711

SHA1
e708d55f12586a153770bafa4b7fbfa8441b1409

SHA256
d90987a8f7a56cd9c09f69585de0ee6241c326f5b41399b2a8319d03fe6ce64e

SHA512
4dc60b1c4da89d3f40456ca54665c797816e42fa1e44e9b2873f799ccf2a4f834732b2854e3f8491e1ab1be562e7d7528fef19acb49d072a63a668e7e5468320

Download Submit
C:\Windows\Installer\e59294b.msi

Filesize
208KB

MD5
09042ba0af85f4873a68326ab0e704af

SHA1
f08c8f9cb63f89a88f5915e6a889b170ce98f515

SHA256
47cceb26dd7b78f0d3d09fddc419290907fe818979884b2192c834034180e83b

SHA512
1c9552a8bf478f9edde8ed67a8f40584a757c66aaf297609b4f577283469287992c1f84ebe15df4df05b0135e4d67c958a912738f4814440f6fd77804a2cfa7d

Download Submit
C:\Windows\Temp\{413ECA2F-2033-4092-8CC5-BA9BEEC54C1A}\.cr\vc_redist.x64.exe

Filesize
670KB

MD5
3f32f1a9bd60ae065b89c2223676592e

SHA1
9d386d394db87f1ee41252cac863c80f1c8d6b8b

SHA256
270fa05033b8b9455bd0d38924b1f1f3e4d3e32565da263209d1f9698effbc05

SHA512
bddfeab33a03b0f37cff9008815e2900cc96bddaf763007e5f7fdffd80e56719b81341029431bd9d25c8e74123c1d9cda0f2aefafdc4937095d595093db823df

Download Submit
C:\Windows\Temp\{77595059-3500-4A20-AC63-BD34FAD9D54D}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{77595059-3500-4A20-AC63-BD34FAD9D54D}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
memory/5148-554-0x000001617BD60000-0x000001617BD61000-memory.dmp

Filesize
4KB

Download
memory/5152-240-0x000001D558C10000-0x000001D558C11000-memory.dmp

Filesize
4KB

Download
memory/5160-241-0x000002C043CA0000-0x000002C043CA1000-memory.dmp

Filesize
4KB

Download
memory/5280-485-0x00000155FB0E0000-0x00000155FB0E1000-memory.dmp

Filesize
4KB

Download
memory/5280-586-0x00000155FB0E0000-0x00000155FB0E1000-memory.dmp

Filesize
4KB

Download
memory/5280-428-0x00000155FB0E0000-0x00000155FB0E1000-memory.dmp

Filesize
4KB

Download
memory/5280-549-0x00000155FB0E0000-0x00000155FB0E1000-memory.dmp

Filesize
4KB

Download
memory/5280-640-0x00000155FB0E0000-0x00000155FB0E1000-memory.dmp

Filesize
4KB

Download
memory/5280-393-0x00000155FB0E0000-0x00000155FB0E1000-memory.dmp

Filesize
4KB

Download
memory/5288-382-0x000002584B830000-0x000002584B831000-memory.dmp

Filesize
4KB

Download
memory/5288-574-0x000002584B830000-0x000002584B831000-memory.dmp

Filesize
4KB

Download
memory/5288-612-0x000002584B830000-0x000002584B831000-memory.dmp

Filesize
4KB

Download
memory/5288-413-0x000002584B830000-0x000002584B831000-memory.dmp

Filesize
4KB

Download
memory/5288-619-0x000002584B830000-0x000002584B831000-memory.dmp

Filesize
4KB

Download
memory/5288-385-0x000002584B830000-0x000002584B831000-memory.dmp

Filesize
4KB

Download
memory/5376-305-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5376-398-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5376-331-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5376-443-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5376-265-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5376-279-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5376-465-0x000001E203210000-0x000001E203211000-memory.dmp

Filesize
4KB

Download
memory/5384-396-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-278-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-306-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-264-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-451-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-494-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-547-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-411-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-418-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5384-436-0x000001D8B9120000-0x000001D8B9121000-memory.dmp

Filesize
4KB

Download
memory/5536-578-0x0000016F9C090000-0x0000016F9C091000-memory.dmp

Filesize
4KB

Download
memory/5996-358-0x000001D5D1800000-0x000001D5D1801000-memory.dmp

Filesize
4KB

Download