File name:

PrismLauncher-Windows-MSVC-Setup-9.1.exe

Full analysis: https://app.any.run/tasks/4490a209-b98b-41d0-aed8-bb8eaec100c4
Verdict: Malicious activity
Analysis date: November 23, 2024, 16:47:02
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

255C5FC4DDD206F19D6FDB69B147B5F6

SHA1:

DC7B59BDBB3FD8F065B8A53E2B8F742F24E12888

SHA256:

E1C336A931699AF16DE244550DA8CE7E1F9B70FD8023AA2FF896D52A603B740F

SSDEEP:

196608:hCFH+/4/qPoxMeuHzDkPZYAXXqI74rEO+FTon2f6Ag7xeDrSe:hCo/4vxYTaRXXqI7AP+FEzASxa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Reads settings of System Certificates

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Creates a software uninstall entry

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Executable content was dropped or overwritten

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Uses TASKKILL.EXE to kill process

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

  • INFO

    • Checks supported languages

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Creates files or folders in the user directory

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Reads the computer name

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Create files in a temporary directory

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • Reads the machine GUID from the registry

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)

    • The process uses the downloaded file

      • PrismLauncher-Windows-MSVC-Setup-9.1.exe (PID: 2808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 184832
UninitializedDataSize: 2048
EntryPoint: 0x3552
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: Prism Launcher Installer
FileVersion: 9.1.0.0
LegalCopyright: © 2022-2024 Prism Launcher Contributors\n© 2021-2022 PolyMC Contributors\n© 2012-2021 MultiMC Contributors
ProductName: Prism Launcher
ProductVersion: 9.1.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start prismlauncher-windows-msvc-setup-9.1.exe taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Users\admin\Desktop\PrismLauncher-Windows-MSVC-Setup-9.1.exe" C:\Users\admin\Desktop\PrismLauncher-Windows-MSVC-Setup-9.1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Prism Launcher Installer
Version:
9.1.0.0
Modules
Images
c:\users\admin\desktop\prismlauncher-windows-msvc-setup-9.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4168TaskKill /IM prismlauncher.exe /FC:\Windows\SysWOW64\taskkill.exePrismLauncher-Windows-MSVC-Setup-9.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4524\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
3 327
Read events
3 311
Write events
16
Delete events
0

Modification events

(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\PrismLauncher
Operation:writeName:InstallDir
Value:
C:\Users\admin\AppData\Local\Programs\PrismLauncher
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CLASSES_ROOT\curseforge
Operation:writeName:URL Protocol
Value:
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CLASSES_ROOT\prismlauncher
Operation:writeName:URL Protocol
Value:
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:DisplayName
Value:
Prism Launcher
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\PrismLauncher\uninstall.exe" _?=C:\Users\admin\AppData\Local\Programs\PrismLauncher
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\PrismLauncher\uninstall.exe" /S _?=C:\Users\admin\AppData\Local\Programs\PrismLauncher
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\PrismLauncher
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:Publisher
Value:
Prism Launcher Contributors
(PID) Process:(2808) PrismLauncher-Windows-MSVC-Setup-9.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:writeName:Version
Value:
9.1.0.0
Executable files
32
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Temp\nsoF4B1.tmp\nsExec.dllexecutable
MD5:11092C1D3FBB449A60695C44F9F3D183
SHA256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6NetworkAuth.dllexecutable
MD5:8C308B0A574781059A21FB5CA95FD95E
SHA256:54455722028B0203D2C6C8019CD5F7260ED89FBA03199B5719A4B79364E5EBF2
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Temp\nsoF4B1.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Programs\PrismLauncher\prismlauncher_updater.exeexecutable
MD5:8C1BB4354FEECC8A62ADE1A82F385181
SHA256:B84CA80DCAD5F212C3C6304DCCD38ED5A70A225D64345A02A7EBB3D38F2E4275
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Temp\nsoF4B1.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Programs\PrismLauncher\qt.confbinary
MD5:7215EE9C7D9DC229D2921A40E899EC5F
SHA256:36A9E7F1C95B82FFB99743E0C5C4CE95D83C9A430AAC59F84EF3CBFAB6145068
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Programs\PrismLauncher\qtlogging.initext
MD5:58967A7FCC8CD9D2BDB9B0FC24EED94D
SHA256:BA15AEE260E7CA1D48016546BAB52FE30C3DA264356B629739C125CD4EB3C700
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Programs\PrismLauncher\prismlauncher_filelink.exeexecutable
MD5:0EC4DB5ACDC8FD5E9CE2206E34F1C17E
SHA256:9DD0F1445E2DEB46D7CE38AB516988067A994B66B2235A3CC97541D1DFBF7697
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Temp\nsoF4B1.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
2808PrismLauncher-Windows-MSVC-Setup-9.1.exeC:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Core.dllexecutable
MD5:928709B99A4C567E5B377CDB025D7C91
SHA256:05982FF42BA7AE3074BADAEE1A09FF7F45E694DE815BB06B514B28C28CFE0500
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
28
DNS requests
32
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.55.161.191:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6a9a8dc8f99a4184
unknown
whitelisted
3356
MoUsoCoreWorker.exe
GET
304
23.50.131.196:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1efd43377cf87d87
unknown
whitelisted
3608
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
3608
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
3608
firefox.exe
POST
200
2.18.121.71:80
http://r10.o.lencr.org/
unknown
whitelisted
3608
firefox.exe
POST
200
2.18.121.76:80
http://r10.o.lencr.org/
unknown
whitelisted
HEAD
200
23.53.114.19:443
https://fs.microsoft.com/fs/windows/config.json
unknown
GET
301
52.170.7.25:443
https://aka.ms/vs/17/release/vc_redist.x64.exe
unknown
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ec9bfb4646951b3a
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
3608
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
3608
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
3420
rundll32.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
772
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
23.55.161.191:80
Akamai International B.V.
DE
unknown
5552
svchost.exe
239.255.255.250:1900
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3356
MoUsoCoreWorker.exe
23.50.131.196:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3608
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.196
  • 23.50.131.216
  • 23.50.131.202
  • 23.50.131.200
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted
r10.o.lencr.org
  • 2.18.121.71
  • 2.18.121.80
  • 2.18.121.70
  • 2.18.121.76
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PrismLauncher-Windows-MSVC-Setup-9.1.exe