Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Prism2Installer_5.16.0.exe

Overview

General Information

Sample name:Prism2Installer_5.16.0.exe
Analysis ID:1540391
MD5:c68a2b8f2d38f0878728cf372b38d61d
SHA1:7b22b800110e35298db6916fac5baae1c8fbadb8
SHA256:8dab9b8ba64255c67d2f47c48ee6799f988412dabe61fb5cb32be8b3acbd5c6f
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Checks for available system drives (often done to infect USB drives)
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • Prism2Installer_5.16.0.exe (PID: 4504 cmdline: "C:\Users\user\Desktop\Prism2Installer_5.16.0.exe" MD5: C68A2B8F2D38F0878728CF372B38D61D)
    • Prism2Installer_5.16.0.tmp (PID: 1800 cmdline: "C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp" /SL5="$2043C,13061428,722432,C:\Users\user\Desktop\Prism2Installer_5.16.0.exe" MD5: 6C38595D6F1B9F7FF6D63EF3E34B5980)
      • PrismII.exe (PID: 3052 cmdline: "C:\PrismII\PrismII.exe" MD5: 12FAE7511A984DF2C87DE60F746FF524)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Prism2Installer_5.16.0.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FEB6242-809F-4FB9-8944-A78F798F1B1F}_is1Jump to behavior
Source: Prism2Installer_5.16.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\PrismII\PrismII.exeFile opened: z:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: x:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: v:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: t:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: r:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: p:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: n:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: l:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: j:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: h:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: f:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: b:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: y:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: w:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: u:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: s:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: q:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: o:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: m:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: k:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: i:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: g:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile opened: c:Jump to behavior
Source: C:\PrismII\PrismII.exeFile opened: a:Jump to behavior
Source: PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://10.0.0.199
Source: PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, is-M9UEN.tmp.1.drString found in binary or memory: http://127.0.0.1&http://192.168.1.25
Source: PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://192.168.1.25
Source: Prism2Installer_5.16.0.tmp, 00000001.00000003.2027888808.0000000005970000.00000004.00001000.00020000.00000000.sdmp, is-KO5KN.tmp.1.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: Prism2Installer_5.16.0.tmp, 00000001.00000003.2027888808.0000000005970000.00000004.00001000.00020000.00000000.sdmp, is-KO5KN.tmp.1.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Prism2Installer_5.16.0.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PrismII.exe, 00000006.00000000.2000811021.0000000000FA4000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://www.aaon.com
Source: Prism2Installer_5.16.0.tmp, 00000001.00000003.1801585909.0000000003370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aaon.com/
Source: Prism2Installer_5.16.0.tmp, 00000001.00000003.2032390052.0000000000CD3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aaon.com/Q9
Source: PrismII.exe, 00000006.00000000.2000811021.0000000000FA4000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://www.aaon.com/aaon-controls-technical-support
Source: PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://www.aaon.com/aaon-controls-technical-support(https://www.aaon.comT
Source: Prism2Installer_5.16.0.exe, 00000000.00000003.1797999514.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.exe, 00000000.00000003.1798421873.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.tmp, 00000001.00000000.1800021829.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Prism2Installer_5.16.0.tmp.0.dr, is-JJU1I.tmp.1.drString found in binary or memory: https://www.innosetup.com/
Source: Prism2Installer_5.16.0.exe, 00000000.00000003.1797999514.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.exe, 00000000.00000003.1798421873.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.tmp, 00000001.00000000.1800021829.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Prism2Installer_5.16.0.tmp.0.dr, is-JJU1I.tmp.1.drString found in binary or memory: https://www.remobjects.com/ps
Source: Prism2Installer_5.16.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-JJU1I.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Prism2Installer_5.16.0.exe, 00000000.00000003.1798421873.000000007FE2E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs Prism2Installer_5.16.0.exe
Source: Prism2Installer_5.16.0.exe, 00000000.00000000.1796545569.00000000004B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs Prism2Installer_5.16.0.exe
Source: Prism2Installer_5.16.0.exe, 00000000.00000003.1797999514.0000000002972000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs Prism2Installer_5.16.0.exe
Source: Prism2Installer_5.16.0.exeBinary or memory string: OriginalFileName vs Prism2Installer_5.16.0.exe
Source: Prism2Installer_5.16.0.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean2.winEXE@5/18@0/0
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prism2.lnkJump to behavior
Source: C:\PrismII\PrismII.exeMutant created: NULL
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmpJump to behavior
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Prism2Installer_5.16.0.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeFile read: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Prism2Installer_5.16.0.exe "C:\Users\user\Desktop\Prism2Installer_5.16.0.exe"
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp "C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp" /SL5="$2043C,13061428,722432,C:\Users\user\Desktop\Prism2Installer_5.16.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess created: C:\PrismII\PrismII.exe "C:\PrismII\PrismII.exe"
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp "C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp" /SL5="$2043C,13061428,722432,C:\Users\user\Desktop\Prism2Installer_5.16.0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess created: C:\PrismII\PrismII.exe "C:\PrismII\PrismII.exe"Jump to behavior
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: apphelp.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: sxs.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: textshaping.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: mpr.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: wintypes.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: wintypes.dllJump to behavior
Source: C:\PrismII\PrismII.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Prism2.lnk.1.drLNK file: ..\..\..\..\..\..\..\..\PrismII\PrismII.exe
Source: Prism2.lnk0.1.drLNK file: ..\..\..\PrismII\PrismII.exe
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FEB6242-809F-4FB9-8944-A78F798F1B1F}_is1Jump to behavior
Source: Prism2Installer_5.16.0.exeStatic file information: File size 13908305 > 1048576
Source: Prism2Installer_5.16.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Prism2Installer_5.16.0.exeStatic PE information: section name: .didata
Source: Prism2Installer_5.16.0.tmp.0.drStatic PE information: section name: .didata
Source: is-JJU1I.tmp.1.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-43D6P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\PrismII\MailSend.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\PrismII\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\PrismII\PrismII.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\PrismII\is-JJU1I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\PrismII\is-KO5KN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpFile created: C:\PrismII\is-M9UEN.tmpJump to dropped file
Source: C:\Users\user\Desktop\Prism2Installer_5.16.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\PrismII\PrismII.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-43D6P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpDropped PE file which has not been started: C:\PrismII\MailSend.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpDropped PE file which has not been started: C:\PrismII\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpDropped PE file which has not been started: C:\PrismII\is-JJU1I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpDropped PE file which has not been started: C:\PrismII\is-KO5KN.tmpJump to dropped file
Source: Prism2Installer_5.16.0.tmp, 00000001.00000003.2030717531.00000000008FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: PrismII.exe, 00000006.00000000.2022660255.0000000008EDB000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: wzuuwstwrtwrRSPKJHLKILLIKJHIHFHGFSTQgjgkolimj]`]MLJNMJPOMSROTSQTTQTSQSRPQQOOOMONL:;8886RRPVUSVVTVVTVVTVVTVVTVVTUUSSSQ<=<'('CCBFEDFFEHGFHHGEEDDDCDDCDDCDDDEEDDFD$%$...???776UWS\ffcux^oqaruastbtt_qq^qrcvzbtx]knmy
Source: PrismII.exe, 00000006.00000000.2022660255.0000000007761000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: sytlogbaS^\Lhg[mmdopfbcXspe~{srkVmhPliQkiQmjRnkSnkSolTplTkdM_SAul]siXi^KcWBe[Ii^LdXCcWB`S>^Q<[N:YM9UJ7PF5qeMuhP
Source: Prism2Installer_5.16.0.tmp, 00000001.00000003.2030717531.00000000008FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmpQueries volume information: C:\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media
2
Command and Scripting Interpreter
1
Windows Service
1
Windows Service
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
Process Injection
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
1
DLL Side-Loading
Security Account Manager11
Peripheral Device Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
System Owner/User Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1540391 Sample: Prism2Installer_5.16.0.exe Startdate: 23/10/2024 Architecture: WINDOWS Score: 2 6 Prism2Installer_5.16.0.exe 2 2->6         started        file3 14 C:\Users\user\...\Prism2Installer_5.16.0.tmp, PE32 6->14 dropped 9 Prism2Installer_5.16.0.tmp 29 13 6->9         started        process4 file5 16 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->16 dropped 18 C:\PrismII\unins000.exe (copy), PE32 9->18 dropped 20 C:\PrismII\is-M9UEN.tmp, PE32 9->20 dropped 22 4 other files (none is malicious) 9->22 dropped 12 PrismII.exe 6 9->12         started        process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Prism2Installer_5.16.0.exe5%ReversingLabs
SourceDetectionScannerLabelLink
C:\PrismII\MailSend.exe (copy)3%ReversingLabs
C:\PrismII\PrismII.exe (copy)3%ReversingLabs
C:\PrismII\is-JJU1I.tmp0%ReversingLabs
C:\PrismII\is-KO5KN.tmp3%ReversingLabs
C:\PrismII\is-M9UEN.tmp3%ReversingLabs
C:\PrismII\unins000.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-43D6P.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://www.remobjects.com/ps0%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
http://www.openssl.org/support/faq.html0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUPrism2Installer_5.16.0.exefalse
    unknown
    https://www.aaon.com/Q9Prism2Installer_5.16.0.tmp, 00000001.00000003.2032390052.0000000000CD3000.00000004.00001000.00020000.00000000.sdmpfalse
      unknown
      http://www.openssl.org/support/faq.html....................Prism2Installer_5.16.0.tmp, 00000001.00000003.2027888808.0000000005970000.00000004.00001000.00020000.00000000.sdmp, is-KO5KN.tmp.1.drfalse
        unknown
        https://www.aaon.comPrismII.exe, 00000006.00000000.2000811021.0000000000FA4000.00000020.00000001.01000000.00000008.sdmpfalse
          unknown
          https://www.remobjects.com/psPrism2Installer_5.16.0.exe, 00000000.00000003.1797999514.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.exe, 00000000.00000003.1798421873.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.tmp, 00000001.00000000.1800021829.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Prism2Installer_5.16.0.tmp.0.dr, is-JJU1I.tmp.1.drfalse
          • URL Reputation: safe
          unknown
          https://www.innosetup.com/Prism2Installer_5.16.0.exe, 00000000.00000003.1797999514.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.exe, 00000000.00000003.1798421873.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, Prism2Installer_5.16.0.tmp, 00000001.00000000.1800021829.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Prism2Installer_5.16.0.tmp.0.dr, is-JJU1I.tmp.1.drfalse
          • URL Reputation: safe
          unknown
          http://10.0.0.199PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmpfalse
            unknown
            https://www.aaon.com/aaon-controls-technical-supportPrismII.exe, 00000006.00000000.2000811021.0000000000FA4000.00000020.00000001.01000000.00000008.sdmpfalse
              unknown
              http://127.0.0.1&http://192.168.1.25PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmp, is-M9UEN.tmp.1.drfalse
                unknown
                https://www.aaon.com/Prism2Installer_5.16.0.tmp, 00000001.00000003.1801585909.0000000003370000.00000004.00001000.00020000.00000000.sdmpfalse
                  unknown
                  http://192.168.1.25PrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmpfalse
                    unknown
                    https://www.aaon.com/aaon-controls-technical-support(https://www.aaon.comTPrismII.exe, 00000006.00000001.2027335390.0000000000401000.00000020.00000001.01000000.00000008.sdmpfalse
                      unknown
                      http://www.openssl.org/support/faq.htmlPrism2Installer_5.16.0.tmp, 00000001.00000003.2027888808.0000000005970000.00000004.00001000.00020000.00000000.sdmp, is-KO5KN.tmp.1.drfalse
                      • URL Reputation: safe
                      unknown
                      No contacted IP infos
                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1540391
                      Start date and time:2024-10-23 18:02:47 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 55s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Prism2Installer_5.16.0.exe
                      Detection:CLEAN
                      Classification:clean2.winEXE@5/18@0/0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: Prism2Installer_5.16.0.exe
                      No simulations
                      No context
                      No context
                      No context
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Temp\is-43D6P.tmp\_isetup\_setup64.tmpReminder.exeGet hashmaliciousAmadeyBrowse
                        yM3BrI8G1EGet hashmaliciousUnknownBrowse
                          MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zipGet hashmaliciousXmrigBrowse
                            Reminder.exeGet hashmaliciousAmadeyBrowse
                              Reminder.exeGet hashmaliciousAmadeyBrowse
                                file.exeGet hashmaliciousUnknownBrowse
                                  https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?Get hashmaliciousUnknownBrowse
                                    http://www.5movierulz.momGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                                        NETGATE Spy Emergency.exeGet hashmaliciousAmadeyBrowse
                                          Process:C:\PrismII\PrismII.exe
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):127500
                                          Entropy (8bit):0.2084884467486285
                                          Encrypted:false
                                          SSDEEP:3:xJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdJdl:3
                                          MD5:141AC3CA5348DC0F1E91AE8D09A88A91
                                          SHA1:127CCF0ED298E898DDBF5AE80F0708A33102D18A
                                          SHA-256:E300851A5AA92326883560DED5D61D2A49813F741A171F09F7207CFBD5E44B03
                                          SHA-512:932B19D31710BC888235AD27FC953F7AB870EAE81C5C6F0F087DADD443B6C06D9D81B0E0F8F4FBA0655C9A517BB91D0A65663D75507E550A465A0141C18D14E0
                                          Malicious:false
                                          Reputation:low
                                          Preview:0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
                                          Process:C:\PrismII\PrismII.exe
                                          File Type:ASCII text, with very long lines (20000), with no line terminators
                                          Category:dropped
                                          Size (bytes):20000
                                          Entropy (8bit):0.8475117683201995
                                          Encrypted:false
                                          SSDEEP:3:ZML0FLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLdLd7:5V
                                          MD5:3B7DDC02568FDCD6B178B67D2CE43441
                                          SHA1:43427AD63EBE3C4625EA1F6C0A0B43F12E1B3EB1
                                          SHA-256:671D41364BDE515117A82CEF51DF84BD4E5995C4A02F533C2ED26EE263D5214C
                                          SHA-512:706ED1B4CA3DBA16B75444E797E02E4D8D919FE9A2A80BC71FF89764B767F2EFB3EEB9B7F89DFA85C6D67FDD547E6C33A25C28ADA485BA5C420037FDDD965E70
                                          Malicious:false
                                          Reputation:low
                                          Preview:Main Site 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):550275
                                          Entropy (8bit):0.7020187553487591
                                          Encrypted:false
                                          SSDEEP:192:J6NZdZGHwHEfg0sFXVOOU4BKZX9c3mWC4D:J6NZd6+0sF6ZzWCo
                                          MD5:328933622B50C917264B13D38079063C
                                          SHA1:73A72629E22707884CD8A18AF2EE850D9EC4FB31
                                          SHA-256:AF0568A5EB402A0F03CF42C71CE31964C5C86683BA0E5C189B61ADC8B650DE6A
                                          SHA-512:D323AB54806E49329128AC0842139FB2EE73DEBA8DB7DAB2D5C9EA98AC7BA3002D8E3C735C6CF3CA3F9C5E269A02C9F17476666C98BB3D0D943108B6B27AF914
                                          Malicious:false
                                          Reputation:low
                                          Preview:No Unit Exists Unknown Type of Unit No Unit Exists Unknown Type of Unit No Unit Exists Unknown Type of Unit SZ Zone Controller Simple Zone Box Controller
                                          Process:C:\PrismII\PrismII.exe
                                          File Type:ISO-8859 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1130
                                          Entropy (8bit):1.509057373761245
                                          Encrypted:false
                                          SSDEEP:24:xDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDf:xDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDf
                                          MD5:53F567827BEF0B8B36C3538A923BA13B
                                          SHA1:0FBD5AD7D1103A8233DA99EDFB080E7DE913BF2B
                                          SHA-256:E66DE109DB354CEBB0B083FBD6AB89634D628CF1A87F18CAB07C8B7517359AC0
                                          SHA-512:49F649C70BC06DA2D52E024BDAA2215E2F53E3DABEDCD61F97A7644DF08B5D7EE80AE614D210B6327676FC62C3E91355A29DA5C1A4ADEC3E8E5FC9371579A8FB
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):550275
                                          Entropy (8bit):0.7020187553487591
                                          Encrypted:false
                                          SSDEEP:192:J6NZdZGHwHEfg0sFXVOOU4BKZX9c3mWC4D:J6NZd6+0sF6ZzWCo
                                          MD5:328933622B50C917264B13D38079063C
                                          SHA1:73A72629E22707884CD8A18AF2EE850D9EC4FB31
                                          SHA-256:AF0568A5EB402A0F03CF42C71CE31964C5C86683BA0E5C189B61ADC8B650DE6A
                                          SHA-512:D323AB54806E49329128AC0842139FB2EE73DEBA8DB7DAB2D5C9EA98AC7BA3002D8E3C735C6CF3CA3F9C5E269A02C9F17476666C98BB3D0D943108B6B27AF914
                                          Malicious:false
                                          Reputation:low
                                          Preview:No Unit Exists Unknown Type of Unit No Unit Exists Unknown Type of Unit No Unit Exists Unknown Type of Unit SZ Zone Controller Simple Zone Box Controller
                                          Process:C:\PrismII\PrismII.exe
                                          File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):74
                                          Entropy (8bit):4.620403908991135
                                          Encrypted:false
                                          SSDEEP:3:v46KxaN66VUcNYo60RFaJX2n:fqG66+jlJX2
                                          MD5:A5048EEACF05155534D634A7CBCC1F20
                                          SHA1:EEEA8C94C6042D683D3C0E9DB7F02608333C7BFA
                                          SHA-256:940196391DE9A2B2CF572707F6361C46BFBC5B0D6FCFD5DFA94530C97FE50173
                                          SHA-512:05E68EAC03D761D2E43DE4643A30B0683BBCFA193E701481AF9CB173193F1D34687C1149E619B51CB717AF140D1F5F0BFECEA432DF686D82B66EC8A33A09E03B
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):540672
                                          Entropy (8bit):6.589943901912389
                                          Encrypted:false
                                          SSDEEP:6144:79fc73w/dP4/I4gtm5HIpB+hppFsbFBAIzKCJ66vnRNdh3Xqk+Vyua+L94U3Xiyq:hfhw/BC+hpspM6v33XX+VlZLqpPvx
                                          MD5:BCD5976DB70B789102E990086873EB38
                                          SHA1:D1E4E12D1396D1EF0C5388B857C3601E4E1E9034
                                          SHA-256:EC6160907197B2DD7713EFFF72668F1B540A5761EB3E7553E1029F09800AC6F5
                                          SHA-512:6065071290F9BFE7745490A88436FA7A7A581FB15967A689886B1F7E78F841B55F59CE4F37D895E81CB3298281C993548497FC161CDCF60B65CA7B0A6C45473B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 3%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[......H...H...Hd..H...H...H...H...H...H}..H...H...H...H...H#..HRich...H................PE..L...[..H..........................................@..........................p..............................................`+..d....................................................................................................................text...`........................... ..`.rdata...b.......p..................@..@.data...4!...@.......@..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):157048832
                                          Entropy (8bit):5.432892718392887
                                          Encrypted:false
                                          SSDEEP:3145728:ux4/dOauM1ChXamq0OaexFgHt3gPNBYSH7HKGFreSWd/VlrPtjZ1yHrAzirQywGx:I4/OM1ChXavkQlW/VlrPtjZ1yHrAzir+
                                          MD5:12FAE7511A984DF2C87DE60F746FF524
                                          SHA1:CECE15423818928AB82C9E129D01750CDC4836DE
                                          SHA-256:C8D34A2ABCAF6931CE705402DF9D5E65EB2FDFDF84D53BEF00230CA94C870ECF
                                          SHA-512:3CD47936CBB03DC8C81CD5F0CADB348119691AC05EF230844FB037031D102D7A6783E85A22449B53FDB249123283E61F96868D74076A891C9BA899CE61EA35FB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 3%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L...o..f.................0...@a.....LN.......@....@...........................g......Y].........................................(....p..z.V.................................................................0... ....................................text...l .......0.................. ..`.data....'...@.......@..............@....rsrc...z.V..p....V..P..............@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3057725
                                          Entropy (8bit):6.399602928454567
                                          Encrypted:false
                                          SSDEEP:49152:4dJYVM+9JtzZWnoS2VC23aun8+f5KuGUOY9IGTiOynqT333vR:qJYVM+LtVt3P/KuGUONGTi3M3335
                                          MD5:36FDE363AFE35A339601753EECD23872
                                          SHA1:1B32EEBB3C26591F9B5BE42808BDEE32757944CD
                                          SHA-256:9F1A92C3D43010A4D13B4042FFF39F7883BFDF8061F62B7C8B976533579622F4
                                          SHA-512:00E00708F389A89A6C2C29E0F385D62518EC1C65F16FBFA9BED1C57BFB2CDD1406A92FE0AF6C06C0F5D57AFB156D952624F4B9DDB1382404CEB418B817CCFFAD
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...et~f..................*...........*.......*...@.......................... /...........@......@...................P,.n.....,.j:....,.d....................................................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.rsrc...d.....,.......+.............@..@.............`0......./.............@..@........................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):540672
                                          Entropy (8bit):6.589943901912389
                                          Encrypted:false
                                          SSDEEP:6144:79fc73w/dP4/I4gtm5HIpB+hppFsbFBAIzKCJ66vnRNdh3Xqk+Vyua+L94U3Xiyq:hfhw/BC+hpspM6v33XX+VlZLqpPvx
                                          MD5:BCD5976DB70B789102E990086873EB38
                                          SHA1:D1E4E12D1396D1EF0C5388B857C3601E4E1E9034
                                          SHA-256:EC6160907197B2DD7713EFFF72668F1B540A5761EB3E7553E1029F09800AC6F5
                                          SHA-512:6065071290F9BFE7745490A88436FA7A7A581FB15967A689886B1F7E78F841B55F59CE4F37D895E81CB3298281C993548497FC161CDCF60B65CA7B0A6C45473B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 3%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[......H...H...Hd..H...H...H...H...H...H}..H...H...H...H...H#..HRich...H................PE..L...[..H..........................................@..........................p..............................................`+..d....................................................................................................................text...`........................... ..`.rdata...b.......p..................@..@.data...4!...@.......@..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):157048832
                                          Entropy (8bit):5.432892718392887
                                          Encrypted:false
                                          SSDEEP:3145728:ux4/dOauM1ChXamq0OaexFgHt3gPNBYSH7HKGFreSWd/VlrPtjZ1yHrAzirQywGx:I4/OM1ChXavkQlW/VlrPtjZ1yHrAzir+
                                          MD5:12FAE7511A984DF2C87DE60F746FF524
                                          SHA1:CECE15423818928AB82C9E129D01750CDC4836DE
                                          SHA-256:C8D34A2ABCAF6931CE705402DF9D5E65EB2FDFDF84D53BEF00230CA94C870ECF
                                          SHA-512:3CD47936CBB03DC8C81CD5F0CADB348119691AC05EF230844FB037031D102D7A6783E85A22449B53FDB249123283E61F96868D74076A891C9BA899CE61EA35FB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 3%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L...o..f.................0...@a.....LN.......@....@...........................g......Y].........................................(....p..z.V.................................................................0... ....................................text...l .......0.................. ..`.data....'...@.......@..............@....rsrc...z.V..p....V..P..............@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:InnoSetup Log Prism2 {4FEB6242-809F-4FB9-8944-A78F798F1B1F}, version 0x418, 1749 bytes, 367706\37\user\376, C:\PrismII\376\377\377\007
                                          Category:dropped
                                          Size (bytes):1749
                                          Entropy (8bit):3.4075468737866204
                                          Encrypted:false
                                          SSDEEP:48:3GswYUM9iCy1CiCyfiCysw9e7xeUhdR4O:xMC0HCZCJJ7Hhbt
                                          MD5:A2214AF45642CAD2A28AE24634CB6576
                                          SHA1:E375B5E322F81DB195CB82A5DFA5E82F94452DE1
                                          SHA-256:8CD33239402A5FDFE443414FFA138FE465C1BC0A3815114360F80218B7DBB489
                                          SHA-512:C12128851DD7526D8208B2911028318F54D0A88A18929B2FA0F3FF36909819BB231F3F3783B9BE2035D33AD63AEB0A108036AC9D9B4435FD0C2FDB1FE2880B85
                                          Malicious:false
                                          Preview:Inno Setup Uninstall Log (b)....................................{4FEB6242-809F-4FB9-8944-A78F798F1B1F}..........................................................................................Prism2......................................................................................................................................%.................................................................................................................9...........J.......O........3.6.7.7.0.6......j.o.n.e.s......C.:.\.P.r.i.s.m.I.I...................._.. ........................C.:.\.P.r.i.s.m.I.I..d...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......e.n.g.l.i.s.h......................C.:.\.P.r.i.s.m.I.I........F........C.:.\.P.r.i.s.m.I.I.\.P.r.i.s.m.I.I...e.x.e............................H........C.:.\.P.r.i.s.m.I.I.\.M.a.i.l.S.e.n.d...e.x.e.....................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3057725
                                          Entropy (8bit):6.399602928454567
                                          Encrypted:false
                                          SSDEEP:49152:4dJYVM+9JtzZWnoS2VC23aun8+f5KuGUOY9IGTiOynqT333vR:qJYVM+LtVt3P/KuGUONGTi3M3335
                                          MD5:36FDE363AFE35A339601753EECD23872
                                          SHA1:1B32EEBB3C26591F9B5BE42808BDEE32757944CD
                                          SHA-256:9F1A92C3D43010A4D13B4042FFF39F7883BFDF8061F62B7C8B976533579622F4
                                          SHA-512:00E00708F389A89A6C2C29E0F385D62518EC1C65F16FBFA9BED1C57BFB2CDD1406A92FE0AF6C06C0F5D57AFB156D952624F4B9DDB1382404CEB418B817CCFFAD
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...et~f..................*...........*.......*...@.......................... /...........@......@...................P,.n.....,.j:....,.d....................................................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.rsrc...d.....,.......+.............@..@.............`0......./.............@..@........................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):6144
                                          Entropy (8bit):4.720366600008286
                                          Encrypted:false
                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Joe Sandbox View:
                                          • Filename: Reminder.exe, Detection: malicious, Browse
                                          • Filename: yM3BrI8G1E, Detection: malicious, Browse
                                          • Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse
                                          • Filename: Reminder.exe, Detection: malicious, Browse
                                          • Filename: Reminder.exe, Detection: malicious, Browse
                                          • Filename: file.exe, Detection: malicious, Browse
                                          • Filename: , Detection: malicious, Browse
                                          • Filename: , Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.FileRepMalware.4445.21502.exe, Detection: malicious, Browse
                                          • Filename: NETGATE Spy Emergency.exe, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\Prism2Installer_5.16.0.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3033600
                                          Entropy (8bit):6.413371256177009
                                          Encrypted:false
                                          SSDEEP:49152:gdJYVM+9JtzZWnoS2VC23aun8+f5KuGUOY9IGTiOynqT333v1:SJYVM+LtVt3P/KuGUONGTi3M333N
                                          MD5:6C38595D6F1B9F7FF6D63EF3E34B5980
                                          SHA1:AAE6E7BE296BACA2149E9C8D30F2AF681B980F1A
                                          SHA-256:DF865795D2FE4D67ADDE0694FAE8C3C244819A23F7D63EB2CFB83BBB94BFBCE7
                                          SHA-512:CFD0186116F4EDCA42DD3AD3C70995CEC36FC173EFE9E343E7503CD629698D94E2971D09DB3ED1191E2995E2F4983F9A3138D1ED7E7F90F5DF4D0BFB8E37D6DB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...et~f..................*...........*.......*...@.......................... /...........@......@...................P,.n.....,.j:....,.d....................................................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.rsrc...d.....,.......+.............@..@.............`0......./.............@..@........................................................
                                          Process:C:\PrismII\PrismII.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):16384
                                          Entropy (8bit):2.2178718217522224
                                          Encrypted:false
                                          SSDEEP:48:rBkB5ItciePVwcg6I6K/UaR4xjU2vldpLXGIp11V/Sq:2UC3zjIF4xvPBW
                                          MD5:3D872D3F126C3F478F6080204D0585DF
                                          SHA1:BD2CCB67E0C7A6A39D4659124C7BDCFC9B5D96DD
                                          SHA-256:1071E385DE9E3B8228E512AA4EB6D0D5E8F133F48150D5E3260FC68B0B618748
                                          SHA-512:0D9C272D959101476A2DCC9D488ECFEC36F4EDD7D423F0FF9F9F582727B4185C33175D2A2C4023CFFAF060EC0F2DA409C76D83CEA0A6A1C7F60E2F8F6DC8C3DD
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 23 15:04:00 2024, mtime=Wed Oct 23 15:04:03 2024, atime=Tue Aug 27 12:06:40 2024, length=157048832, window=hide
                                          Category:dropped
                                          Size (bytes):657
                                          Entropy (8bit):4.471494448627936
                                          Encrypted:false
                                          SSDEEP:12:8mbOYpzB8m/y1c1xjAomIRTmkBpiHdHIBmV:8mb561yFAomIRTbiHdHIBm
                                          MD5:0F62AB761F67C315E3B4CCB20A699B0A
                                          SHA1:AB33CD084CD4F30E9B3398C6ED99AC046AAD3545
                                          SHA-256:480B7F409F4C5B0C59D670236A2D1834ACD7490D744A2E6A31D89661CE7FE8CB
                                          SHA-512:313518838367837609A4C540ED1FAD98358F4740A1BE9A77ED710D2805BE8D99E3A918C9F2A5BB8C93F741257F3B81C95E09504875217E099FB59F03A393AA8F
                                          Malicious:false
                                          Preview:L..................F.... .....E,e%...0,.e%...p......`\..........................P.O. .:i.....+00.../C:\...................V.1.....WY....PrismII.@......WY..WY......v......................ZR.P.r.i.s.m.I.I.....b.2..`\..Y.h .PrismII.exe.H......WY..WY......O.........................P.r.i.s.m.I.I...e.x.e.......E...............-.......D...................C:\PrismII\PrismII.exe..+.....\.....\.....\.....\.....\.....\.....\.....\.P.r.i.s.m.I.I.\.P.r.i.s.m.I.I...e.x.e...C.:.\.P.r.i.s.m.I.I.`.......X.......367706...........hT..CrF.f4... .d.T..b...,.......hT..CrF.f4... .d.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
                                          Process:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 23 15:04:00 2024, mtime=Wed Oct 23 15:04:07 2024, atime=Tue Aug 27 12:06:40 2024, length=157048832, window=hide
                                          Category:dropped
                                          Size (bytes):627
                                          Entropy (8bit):4.54811657368663
                                          Encrypted:false
                                          SSDEEP:12:8mbOGpzB8m/y1c1xjAomBmkBpiHdHIBmV:8mbv61yFAomBbiHdHIBm
                                          MD5:405D849095EBAA8A3CC9CC07CE29E8BE
                                          SHA1:A48BFC802B69B444280CF30DAEBBF61F03C3A1AA
                                          SHA-256:6ABB6323A89B2EFD34317ACAAED2CE713A2ACA4B8EE2C55E8E88C01D8203537F
                                          SHA-512:6A55D1149932C338FADD989253A6E42DDF92821F510FB6946B025DB698742F63CFA0837CA6C2DC7B08C70D25A4E2BADE09908748C4C6CFC821319E99CC4CD392
                                          Malicious:false
                                          Preview:L..................F.... .....E,e%..&.0e%...p......`\..........................P.O. .:i.....+00.../C:\...................V.1.....WY....PrismII.@......WY..WY......v......................ZR.P.r.i.s.m.I.I.....b.2..`\..Y.h .PrismII.exe.H......WY..WY......O.........................P.r.i.s.m.I.I...e.x.e.......E...............-.......D...................C:\PrismII\PrismII.exe........\.....\.....\.P.r.i.s.m.I.I.\.P.r.i.s.m.I.I...e.x.e...C.:.\.P.r.i.s.m.I.I.`.......X.......367706...........hT..CrF.f4... .d.T..b...,.......hT..CrF.f4... .d.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.98617535105383
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 98.45%
                                          • Inno Setup installer (109748/4) 1.08%
                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          File name:Prism2Installer_5.16.0.exe
                                          File size:13'908'305 bytes
                                          MD5:c68a2b8f2d38f0878728cf372b38d61d
                                          SHA1:7b22b800110e35298db6916fac5baae1c8fbadb8
                                          SHA256:8dab9b8ba64255c67d2f47c48ee6799f988412dabe61fb5cb32be8b3acbd5c6f
                                          SHA512:aafcf32ff567faaac39cf175e705e36bcbff8350dc0e8ef861c2531d9f5e9b726bed2b52331fcf638b7ba12cc2045eed59f014d62dc5b6b768600eaa8d176838
                                          SSDEEP:196608:11br2DhBQ5w94phkkKVnH6IVRlvHKkMdB2KVoMoz3nW6ix3ttn1x1cFmwEUZSm5X:1Nrmhq84pNunHVRdL967n1IQsSOiZ8D
                                          TLSH:BDE63317B3CBA43DF05E5B370AB2909858F76632A813AE16DBE8447CCF190601E7E756
                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                          Icon Hash:499b3174cecd2b41
                                          Entrypoint:0x4a83bc
                                          Entrypoint Section:.itext
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x667E7465 [Fri Jun 28 08:29:25 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:1
                                          File Version Major:6
                                          File Version Minor:1
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:1
                                          Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                          Instruction
                                          push ebp
                                          mov ebp, esp
                                          add esp, FFFFFFA4h
                                          push ebx
                                          push esi
                                          push edi
                                          xor eax, eax
                                          mov dword ptr [ebp-3Ch], eax
                                          mov dword ptr [ebp-40h], eax
                                          mov dword ptr [ebp-5Ch], eax
                                          mov dword ptr [ebp-30h], eax
                                          mov dword ptr [ebp-38h], eax
                                          mov dword ptr [ebp-34h], eax
                                          mov dword ptr [ebp-2Ch], eax
                                          mov dword ptr [ebp-28h], eax
                                          mov dword ptr [ebp-14h], eax
                                          mov eax, 004A2EBCh
                                          call 00007FC93C7B9D35h
                                          xor eax, eax
                                          push ebp
                                          push 004A8AC1h
                                          push dword ptr fs:[eax]
                                          mov dword ptr fs:[eax], esp
                                          xor edx, edx
                                          push ebp
                                          push 004A8A7Bh
                                          push dword ptr fs:[edx]
                                          mov dword ptr fs:[edx], esp
                                          mov eax, dword ptr [004B0634h]
                                          call 00007FC93C84B6BBh
                                          call 00007FC93C84B20Eh
                                          lea edx, dword ptr [ebp-14h]
                                          xor eax, eax
                                          call 00007FC93C845EE8h
                                          mov edx, dword ptr [ebp-14h]
                                          mov eax, 004B41F4h
                                          call 00007FC93C7B3DE3h
                                          push 00000002h
                                          push 00000000h
                                          push 00000001h
                                          mov ecx, dword ptr [004B41F4h]
                                          mov dl, 01h
                                          mov eax, dword ptr [0049CD14h]
                                          call 00007FC93C847213h
                                          mov dword ptr [004B41F8h], eax
                                          xor edx, edx
                                          push ebp
                                          push 004A8A27h
                                          push dword ptr fs:[edx]
                                          mov dword ptr fs:[edx], esp
                                          call 00007FC93C84B743h
                                          mov dword ptr [004B4200h], eax
                                          mov eax, dword ptr [004B4200h]
                                          cmp dword ptr [eax+0Ch], 01h
                                          jne 00007FC93C85242Ah
                                          mov eax, dword ptr [004B4200h]
                                          mov edx, 00000028h
                                          call 00007FC93C847B08h
                                          mov edx, dword ptr [004B4200h]
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x3dfc.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0xba0000x3dfc0x3e005decb615500b16f43d9d8a62a0cf972fFalse0.32913306451612906data4.41640931219863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xba4380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.384927797833935
                                          RT_STRING0xbace00x3f8data0.3198818897637795
                                          RT_STRING0xbb0d80x2dcdata0.36475409836065575
                                          RT_STRING0xbb3b40x430data0.40578358208955223
                                          RT_STRING0xbb7e40x44cdata0.38636363636363635
                                          RT_STRING0xbbc300x2d4data0.39226519337016574
                                          RT_STRING0xbbf040xb8data0.6467391304347826
                                          RT_STRING0xbbfbc0x9cdata0.6410256410256411
                                          RT_STRING0xbc0580x374data0.4230769230769231
                                          RT_STRING0xbc3cc0x398data0.3358695652173913
                                          RT_STRING0xbc7640x368data0.3795871559633027
                                          RT_STRING0xbcacc0x2a4data0.4275147928994083
                                          RT_RCDATA0xbcd700x10data1.5
                                          RT_RCDATA0xbcd800x310data0.6173469387755102
                                          RT_RCDATA0xbd0900x2cdata1.1818181818181819
                                          RT_GROUP_ICON0xbd0bc0x14dataEnglishUnited States1.15
                                          RT_VERSION0xbd0d00x584dataEnglishUnited States0.25708215297450426
                                          RT_MANIFEST0xbd6540x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                          DLLImport
                                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                          comctl32.dllInitCommonControls
                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                          NameOrdinalAddress
                                          __dbk_fcall_wrapper20x40fc10
                                          dbkFCallWrapperAddr10x4b063c
                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States
                                          No network behavior found

                                          Click to jump to process

                                          Click to jump to process

                                          Click to dive into process behavior distribution

                                          Click to jump to process

                                          Target ID:0
                                          Start time:12:03:50
                                          Start date:23/10/2024
                                          Path:C:\Users\user\Desktop\Prism2Installer_5.16.0.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Prism2Installer_5.16.0.exe"
                                          Imagebase:0x400000
                                          File size:13'908'305 bytes
                                          MD5 hash:C68A2B8F2D38F0878728CF372B38D61D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Reputation:low
                                          Has exited:true

                                          Target ID:1
                                          Start time:12:03:51
                                          Start date:23/10/2024
                                          Path:C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-VU0SV.tmp\Prism2Installer_5.16.0.tmp" /SL5="$2043C,13061428,722432,C:\Users\user\Desktop\Prism2Installer_5.16.0.exe"
                                          Imagebase:0x400000
                                          File size:3'033'600 bytes
                                          MD5 hash:6C38595D6F1B9F7FF6D63EF3E34B5980
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          Target ID:6
                                          Start time:12:04:11
                                          Start date:23/10/2024
                                          Path:C:\PrismII\PrismII.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\PrismII\PrismII.exe"
                                          Imagebase:0x400000
                                          File size:157'048'832 bytes
                                          MD5 hash:12FAE7511A984DF2C87DE60F746FF524
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          No disassembly