File name:

PrismConvertidor_de_Video_ES.exe

Full analysis: https://app.any.run/tasks/238fa2cb-a89d-43dd-8259-ade8aa541909
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 19, 2023, 06:54:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

548B24D457E048F2508B2CC8A8626D05

SHA1:

AF27BBDA0F3FD759CB13D941B3A20507DD450D56

SHA256:

FB432DDDC56DB28D72D4A9C04FC51367BDDFF2F313723A01BB20829D5A346613

SSDEEP:

49152:08DmyX692o/O2JeznksiElVQee36zMyc9GgBUWJ0TV7u+tW8zhoolhSdPS0KQMH8:pDm469L/5sHiIzHccg6Wok+tW8zhn/Sx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PrismConvertidor_de_Video_ES.exe (PID: 3124)
      • nchsetup.exe (PID: 3468)
      • prism.exe (PID: 3832)
      • vpsetup.exe (PID: 4012)
      • nchsetup.exe (PID: 3972)
      • mp3el2.exe (PID: 4072)
      • ffmpeg23.exe (PID: 3532)
      • switchsetup.exe (PID: 4068)
      • nchsetup.exe (PID: 3696)
      • mp3el3.exe (PID: 3236)
      • debutsetup.exe (PID: 1608)
      • nchsetup.exe (PID: 1032)
      • aacdec2.exe (PID: 1208)
      • amrdec2.exe (PID: 1152)
      • mp3el2.exe (PID: 1860)
      • x264enc10.exe (PID: 1360)
      • gamecapturehook3.exe (PID: 1356)
      • doxillionsetup.exe (PID: 2708)
      • libjpeg.exe (PID: 1864)
      • littlecms.exe (PID: 3108)
      • freetype.exe (PID: 2460)
      • 7za32.exe (PID: 3268)
      • nchsetup.exe (PID: 2864)
      • zlib1v3.exe (PID: 3260)

  • SUSPICIOUS

    • Starts itself from another location

      • nchsetup.exe (PID: 3468)
      • nchsetup.exe (PID: 3972)
      • nchsetup.exe (PID: 3696)
      • nchsetup.exe (PID: 1032)
      • nchsetup.exe (PID: 2864)

    • Reads the Internet Settings

      • PrismConvertidor_de_Video_ES.exe (PID: 3124)
      • nchsetup.exe (PID: 3468)
      • prism.exe (PID: 3832)
      • vpsetup.exe (PID: 4012)
      • nchsetup.exe (PID: 3972)
      • switchsetup.exe (PID: 4068)
      • nchsetup.exe (PID: 3696)
      • debutsetup.exe (PID: 1608)
      • nchsetup.exe (PID: 1032)
      • nchsetup.exe (PID: 2864)
      • prism.exe (PID: 3920)
      • doxillionsetup.exe (PID: 2708)

    • Process requests binary or script from the Internet

      • prism.exe (PID: 3832)
      • nchsetup.exe (PID: 3972)

    • Searches for installed software

      • nchsetup.exe (PID: 3972)
      • nchsetup.exe (PID: 3696)
      • nchsetup.exe (PID: 3468)
      • nchsetup.exe (PID: 1032)
      • nchsetup.exe (PID: 2864)

    • Drops a system driver (possible attempt to evade defenses)

      • nchsetup.exe (PID: 1032)

    • Drops 7-zip archiver for unpacking

      • 7za32.exe (PID: 3268)

  • INFO

    • Create files in a temporary directory

      • PrismConvertidor_de_Video_ES.exe (PID: 3124)
      • prism.exe (PID: 3920)
      • vpsetup.exe (PID: 4012)
      • prism.exe (PID: 3832)
      • mp3el2.exe (PID: 4072)
      • nchsetup.exe (PID: 3972)
      • ffmpeg23.exe (PID: 3532)
      • switchsetup.exe (PID: 4068)
      • mp3el3.exe (PID: 3236)
      • debutsetup.exe (PID: 1608)
      • aacdec2.exe (PID: 1208)
      • amrdec2.exe (PID: 1152)
      • mp3el2.exe (PID: 1860)
      • x264enc10.exe (PID: 1360)
      • gamecapturehook3.exe (PID: 1356)
      • doxillionsetup.exe (PID: 2708)
      • libjpeg.exe (PID: 1864)
      • freetype.exe (PID: 2460)
      • littlecms.exe (PID: 3108)
      • 7za32.exe (PID: 3268)
      • zlib1v3.exe (PID: 3260)

    • Checks supported languages

      • prism.exe (PID: 3832)
      • PrismConvertidor_de_Video_ES.exe (PID: 3124)
      • nchsetup.exe (PID: 3468)
      • prism.exe (PID: 3920)
      • prism.exe (PID: 3904)
      • vpsetup.exe (PID: 4012)
      • nchsetup.exe (PID: 3972)
      • mp3el2.exe (PID: 4072)
      • ffmpeg23.exe (PID: 3532)
      • switchsetup.exe (PID: 4068)
      • videopad.exe (PID: 3872)
      • nchsetup.exe (PID: 3696)
      • mp3el3.exe (PID: 3236)
      • switch.exe (PID: 1436)
      • debutsetup.exe (PID: 1608)
      • nchsetup.exe (PID: 1032)
      • aacdec2.exe (PID: 1208)
      • amrdec2.exe (PID: 1152)
      • wmpnscfg.exe (PID: 3664)
      • mp3el2.exe (PID: 1860)
      • x264enc10.exe (PID: 1360)
      • gamecapturehook3.exe (PID: 1356)
      • debut.exe (PID: 2092)
      • doxillionsetup.exe (PID: 2708)
      • nchsetup.exe (PID: 2864)
      • freetype.exe (PID: 2460)
      • libjpeg.exe (PID: 1864)
      • littlecms.exe (PID: 3108)
      • doxillion.exe (PID: 2548)
      • 7za32.exe (PID: 3268)
      • zlib1v3.exe (PID: 3260)

    • Reads the machine GUID from the registry

      • prism.exe (PID: 3832)
      • prism.exe (PID: 3920)
      • nchsetup.exe (PID: 3972)
      • wmpnscfg.exe (PID: 3664)

    • Reads the computer name

      • PrismConvertidor_de_Video_ES.exe (PID: 3124)
      • nchsetup.exe (PID: 3468)
      • prism.exe (PID: 3920)
      • prism.exe (PID: 3904)
      • vpsetup.exe (PID: 4012)
      • nchsetup.exe (PID: 3972)
      • videopad.exe (PID: 3872)
      • switchsetup.exe (PID: 4068)
      • nchsetup.exe (PID: 3696)
      • switch.exe (PID: 1436)
      • debutsetup.exe (PID: 1608)
      • nchsetup.exe (PID: 1032)
      • wmpnscfg.exe (PID: 3664)
      • prism.exe (PID: 3832)
      • debut.exe (PID: 2092)
      • doxillionsetup.exe (PID: 2708)
      • nchsetup.exe (PID: 2864)
      • doxillion.exe (PID: 2548)

    • Creates files in the program directory

      • nchsetup.exe (PID: 3468)
      • nchsetup.exe (PID: 3972)
      • mp3el2.exe (PID: 4072)
      • ffmpeg23.exe (PID: 3532)
      • nchsetup.exe (PID: 3696)
      • mp3el3.exe (PID: 3236)
      • nchsetup.exe (PID: 1032)
      • aacdec2.exe (PID: 1208)
      • x264enc10.exe (PID: 1360)
      • mp3el2.exe (PID: 1860)
      • gamecapturehook3.exe (PID: 1356)
      • nchsetup.exe (PID: 2864)
      • libjpeg.exe (PID: 1864)
      • freetype.exe (PID: 2460)
      • littlecms.exe (PID: 3108)
      • 7za32.exe (PID: 3268)
      • amrdec2.exe (PID: 1152)
      • zlib1v3.exe (PID: 3260)

    • Creates files or folders in the user directory

      • nchsetup.exe (PID: 3468)
      • nchsetup.exe (PID: 3972)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3664)

    • Application launched itself

      • msedge.exe (PID: 1612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:21 07:45:58+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2560
InitializedDataSize: 1635840
UninitializedDataSize: -
EntryPoint: 0x1286
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: Prism, convertidor de vídeo
FileVersion: 10.37ES+
ProductVersion: 10.37ES+
ProductName: Prism
LegalCopyright: NCH Software
InternalName: Prism
OriginalFileName: Prism.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
52
Malicious processes
14
Suspicious processes
10

Behavior graph

Click at the process to see the details
start prismconvertidor_de_video_es.exe nchsetup.exe wmpnscfg.exe no specs prism.exe prism.exe no specs prism.exe no specs vpsetup.exe no specs nchsetup.exe mp3el2.exe no specs ffmpeg23.exe no specs videopad.exe no specs switchsetup.exe no specs nchsetup.exe mp3el3.exe no specs switch.exe no specs debutsetup.exe no specs nchsetup.exe aacdec2.exe no specs amrdec2.exe no specs mp3el2.exe no specs x264enc10.exe no specs gamecapturehook3.exe no specs debut.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs doxillionsetup.exe no specs nchsetup.exe libjpeg.exe no specs freetype.exe no specs 7za32.exe no specs zlib1v3.exe no specs littlecms.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs doxillion.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs prismconvertidor_de_video_es.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1032"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\Prism-3776-1\debutsetup.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat" -instby rpPrism -instsvar PRISMRelatedprogramspaidonLLIBInstquickoffLLIBControlonLLIBSpllnkulonLLIBSpltxtfadeonPRISMOutputformatwinv2onUAwwPRISMOutputoptsoffPRISMSetoutdirbtnonPRISMOpenoutfldoffBAZaYPWeTpowUQgePRISMHelptaboffPRISMCompresstboffH3elR4dcPRISMCtaguidev2offPRISMSubtitlesbtnv2onIEOgC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
debutsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Debut, capturador de vídeo
Exit code:
0
Version:
9.44ES+
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1152"C:\Program Files\NCH Software\Debut\amrdec2.exe" -LQUIET -instby fiDebutC:\Program Files\NCH Software\Debut\amrdec2.exenchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\debut\amrdec2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1208"C:\Program Files\NCH Software\Debut\aacdec2.exe" -LQUIET -instby fiDebutC:\Program Files\NCH Software\Debut\aacdec2.exenchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\debut\aacdec2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1356"C:\Program Files\NCH Software\Debut\gamecapturehook3.exe" -LQUIET -instby fiDebutC:\Program Files\NCH Software\Debut\gamecapturehook3.exenchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\debut\gamecapturehook3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1360"C:\Program Files\NCH Software\Debut\x264enc10.exe" -LQUIET -instby fiDebutC:\Program Files\NCH Software\Debut\x264enc10.exenchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\debut\x264enc10.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1436"C:\Program Files\NCH Software\Switch\switch.exe" -installschedC:\Program Files\NCH Software\Switch\switch.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Switch, convertidor de archivos de audio
Exit code:
0
Version:
11.31ES+
Modules
Images
c:\program files\nch software\switch\switch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1608"C:\Users\admin\AppData\Local\Temp\Prism-3776-1\debutsetup.exe" -LQUIET -instby rpPrism -instsvar PRISMRelatedprogramspaidonLLIBInstquickoffLLIBControlonLLIBSpllnkulonLLIBSpltxtfadeonPRISMOutputformatwinv2onUAwwPRISMOutputoptsoffPRISMSetoutdirbtnonPRISMOpenoutfldoffBAZaYPWeTpowUQgePRISMHelptaboffPRISMCompresstboffH3elR4dcPRISMCtaguidev2offPRISMSubtitlesbtnv2onIEOgC:\Users\admin\AppData\Local\Temp\Prism-3776-1\debutsetup.exeprism.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Debut, capturador de vídeo
Exit code:
0
Version:
9.44ES+
Modules
Images
c:\users\admin\appdata\local\temp\prism-3776-1\debutsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1612"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nchsoftware.com/software/es/thanks.html?software=Prism&appname=Prism&version=10.37&appbits=32&base=prism&domain=nchsoftware&buyoffer=prism&pclass=plus&rgst=0&antivirus=expired&instby=dl&iid=ihbed2yGqRI&help=0&ostype=48&osver=6.1&svar=PRISMRelatedprogramspaidonLLIBInstquickoffLLIBControlonLLIBSpllnkulonLLIBSpltxtfadeonPRISMOutputformatwinv2onUAwwPRISMOutputoptsoffPRISMSetoutdirbtnonPRISMOpenoutfldoffBAZaYPWeTpowUQgePRISMHelptaboffPRISMCompresstboffH3elR4dcPRISMCtaguidev2offPRISMSubtitlesbtnv2onIEOg&usage=040701&usechoice=llinad(1)&daysusedprogram=1&usedsubstpct=0&secsfr=62&active10s=4C:\Program Files\Microsoft\Edge\Application\msedge.exe
prism.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1700"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1224,i,13813666247215898253,1358665075291365889,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1860"C:\Program Files\NCH Software\Debut\mp3el2.exe" -LQUIET -instby fiDebutC:\Program Files\NCH Software\Debut\mp3el2.exenchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\debut\mp3el2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
12 297
Read events
10 980
Write events
1 211
Delete events
106

Modification events

(PID) Process:(3124) PrismConvertidor_de_Video_ES.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3124) PrismConvertidor_de_Video_ES.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3124) PrismConvertidor_de_Video_ES.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3124) PrismConvertidor_de_Video_ES.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3468) nchsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\NCH Software\Prism\Capabilities
Operation:writeName:ApplicationDescription
Value:
Prism, convertidor de vídeo
(PID) Process:(3468) nchsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
Operation:writeName:Prism
Value:
Software\NCH Software\Prism\Capabilities
(PID) Process:(3468) nchsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
115
(PID) Process:(3468) nchsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
116
(PID) Process:(3664) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{244A028E-0CA5-498F-808D-318187CB38AE}\{18B9F8F2-C1A7-4EA4-8CF6-91F60DFCCFAE}
Operation:delete keyName:(default)
Value:
(PID) Process:(3664) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{244A028E-0CA5-498F-808D-318187CB38AE}
Operation:delete keyName:(default)
Value:
Executable files
72
Suspicious files
179
Text files
224
Unknown types
0

Dropped files

PID
Process
Filename
Type
3124PrismConvertidor_de_Video_ES.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:FDBF51B4A1AC564491CB78E4384BCD47
SHA256:88F3F03AF628A8800808CE4DFD25DE681A0C1249A293F8F5CF1CE6C38E7E4176
3468nchsetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Prism, convertidor de vídeo.lnkbinary
MD5:D1C71D45D41A2FC7C286D3805AE24483
SHA256:9EA93126098ABB01DE3625D69A0523CB9B6B5BEB9D397974344EAD03EFEF7F50
3468nchsetup.exeC:\Users\Public\Desktop\Suite NCH.lnkbinary
MD5:537611F30706E185701BE9561650EC8E
SHA256:CCDD64157EB8A8D86CB16EA17A238D2FBFF674BE855C829C730066E24F4EF2A4
3468nchsetup.exeC:\Program Files\NCH Software\Prism\prism.exeexecutable
MD5:FDBF51B4A1AC564491CB78E4384BCD47
SHA256:88F3F03AF628A8800808CE4DFD25DE681A0C1249A293F8F5CF1CE6C38E7E4176
3124PrismConvertidor_de_Video_ES.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.datbinary
MD5:F1D3FF8443297732862DF21DC4E57262
SHA256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
3124PrismConvertidor_de_Video_ES.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:272577074B84FA3902C51513541B736C
SHA256:CAC72445C55CC2D7AEF45584CC317E194B69D06BDDBE1F93F0312334FAA4D200
3468nchsetup.exeC:\Users\admin\AppData\Roaming\NCH Software\Prism\ComputerPresets\YouTube%20480p.dattext
MD5:B6E85C8DBE74A5B7D83C616E3D8B3514
SHA256:FC32B8315987CA3ED5589E2F2F6532A8F296E8364281B0BC10F65344D0680E9C
3468nchsetup.exeC:\Users\admin\AppData\Roaming\NCH Software\Prism\ComputerPresets\Internet%20Video.dattext
MD5:94CE49CA59596A8C37B670F8E9AEA146
SHA256:BF8C927F01EA3DBAB2004AD9BCBF1AC11863E0B75015C7C002F092C546DCE916
3468nchsetup.exeC:\Users\admin\AppData\Roaming\NCH Software\Prism\ComputerPresets\YouTube%202160p%20%284K%29.dattext
MD5:EE49E3F82D40B9186643E4FCD39582B8
SHA256:97D09214D6D22F649D7C27A9EF49FC40A4D7B6AAB698282062E9CF07AB468444
3468nchsetup.exeC:\Users\admin\AppData\Roaming\NCH Software\Prism\ComputerPresets\TV%20NTSC.dattext
MD5:5BB3323D1AFB42AF27FD2F1E740EF903
SHA256:6FBAB5F01D7466808D609D95198365EA25D3F2B157F69DB6C0EBCD36EECD7576
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
62
DNS requests
49
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3832
prism.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/es/vpsetup.exe
unknown
executable
5.75 Mb
unknown
3832
prism.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/es/debutsetup.exe
unknown
executable
3.38 Mb
unknown
3832
prism.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/es/doxillionsetup.exe
unknown
executable
2.74 Mb
unknown
3832
prism.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/es/switchsetup.exe
unknown
executable
1.66 Mb
unknown
3972
nchsetup.exe
GET
404
66.39.83.117:80
http://audiochannel.net/components/es/ffmpeg23.exe
unknown
html
196 b
unknown
3972
nchsetup.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/ffmpeg23.exe
unknown
executable
3.16 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
3468
nchsetup.exe
173.247.253.164:443
secure.nch.com.au
INMOTION
US
unknown
3832
prism.exe
66.39.83.117:80
audiochannel.net
PAIR-NETWORKS
US
unknown
3972
nchsetup.exe
66.39.83.117:80
audiochannel.net
PAIR-NETWORKS
US
unknown
3972
nchsetup.exe
173.247.253.164:443
secure.nch.com.au
INMOTION
US
unknown
3696
nchsetup.exe
173.247.253.164:443
secure.nch.com.au
INMOTION
US
unknown
1032
nchsetup.exe
173.247.253.164:443
secure.nch.com.au
INMOTION
US
unknown

DNS requests

Domain
IP
Reputation
secure.nch.com.au
  • 173.247.253.164
unknown
audiochannel.net
  • 66.39.83.117
  • 173.247.250.125
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.nchsoftware.com
  • 66.39.83.155
  • 54.149.5.211
  • 198.84.119.122
malicious
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
www.facebook.com
  • 157.240.251.35
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
bat.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
www.googleadservices.com
  • 142.250.186.162
whitelisted
q.quora.com
  • 52.7.205.89
  • 52.3.132.203
  • 52.44.31.83
whitelisted

Threats

PID
Process
Class
Message
3832
prism.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3832
prism.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3832
prism.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3972
nchsetup.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3972
nchsetup.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3972
nchsetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3972
nchsetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3832
prism.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3832
prism.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3832
prism.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PrismConvertidor_de_Video_ES.exe