Safe
Unsigned Prism Launcher installer with zero engine detections and an imphash match to a previously clean sample.
0f46adb6c399e1d000…52834a42cbThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
All 74 engines returned clean results with no tier-1 detections. The file is unsigned, yet the imphash matches a previously safe PrismLauncher installer. Sandbox behaviour shows typical installer actions (vc_redist extraction, TaskKill of prior instance, Qt single-instance mutex) alongside the flagged MITRE techniques. No malicious children, no malicious hosts contacted, and external intel sources are silent. Medium prevalence and installer filename pattern further support a benign classification.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious out of 74 engines (tier1Malicious=0)
similarHashes[0].verdict=safe with reasonCode=ai:benign_signed_installer (matchKind=imphash)
behaviour.offensiveTechniques=[T1055,T1134,T1485,T1486] and triggeredHeuristics=[MalwareTips.Synth.ProcessInjection, MalwareTips.Synth.CredentialDumper, MalwareTips.Synth.DirectIpC2]
prevalence.classification=medium, filename=PrismLauncher-Windows-MSVC-Setup-9.4.exe with hasInstallerHint=true
- 0/74 engines malicious
- Imphash match to prior safe verdict
- No malicious dropped children or contacted hosts
- Medium prevalence with installer filename pattern
- File is unsigned
- Sandbox flagged process injection (T1055) and LSASS access
Proceed with installation after confirming the SHA-256 against the official Prism Launcher release notes; the evidence indicates a clean, albeit unsigned, installer.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.61.93.234
- 185.199.109.153
- 104.18.21.213
- 162.159.36.2
- http://r12.c.lencr.org/89.crl
- https://i18n.prismlauncher.org/index_v2.json
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\modern-wizard.bmp
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\nsDialogs.dll
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\nsExec.dll
- C:\Users\<USER>\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\modern-wizard.bmp
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\NScurl.dll
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\nsDialogs.dll
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\nsExec.dll
- C:\Users\<USER>\AppData\Local\Temp\nseC91D.tmp\System.dll
- cversions.3.m
- Local\SessionImmersiveColorMutex
- QtLockedFile mutex c:/users/bruno/appdata/local/temp/qtsingleapp-84f62f4d6586f22e6ca919961aedd64ac8d04e66-lockfile
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- f4a118afd9259cd928f5…1e16aaNever scannednever seen before
- 8bca64be01229c8cbc45…058761Never scannednever seen before
- ac3706ebbb78cfba74e5…0aba8fNever scannednever seen before
- 2ac8b7c19a5189662de3…39f9caNever scannednever seen before
- 44c76290f7a2e45940e8…acbc8dNever scannednever seen before
- 5aed2c3a8ff118747172…600770Never scannednever seen before
- 27891eec899be859e3b4…c6e701Never scannednever seen before
- 5c13a65870d770d1642a…0c7009Never scannednever seen before
- 466c595b87f59053de29…4d17abNever scannednever seen before
- 2cd3a2d4053954db1196…843c77Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 4 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.61.93.234 · 185.199.109.153 · 104.18.21.213
0 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- PrismLauncher-Windows-MSVC-Setup-9.4.exe
- Size
- 21.34 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 0f46adb6c399e1d00013799c28b406899a3efb1e99981f5d9de89852834a42cb
- MD5
- f8fed0517b581dc49795d6c9a9eb71ba
- SHA-1
- e5982be8f470ea120fb3327e8dc61baeee587d45
- PE imphash
- f4639a0b3116c2cfc71144b88a929cfd
- First seen (VT)
- 5/4/2026, 11:07:34 AM
- Last analysis (VT)
- 7/3/2026, 3:26:24 PM
- First scan (MalwareTips)
- 7/5/2026, 5:19:24 AM
- Last scan (MalwareTips)
- 7/5/2026, 5:19:24 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.