Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plugin-newest_release_.exe

Overview

General Information

Sample name:plugin-newest_release_.exe
Analysis ID:1632176
MD5:55708f430c572fffe83624c57fcbe657
SHA1:f5ce9f6ac27e11df7142c7ce88697836388d7341
SHA256:977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383
Tags:exeuser-aachum
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Connects to a URL shortener service
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • plugin-newest_release_.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\plugin-newest_release_.exe" MD5: 55708F430C572FFFE83624C57FCBE657)
    • plugin-newest_release_.tmp (PID: 6920 cmdline: "C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" MD5: BE3CC5717F5951662ADB399D613F20CC)
      • plugin-newest_release_.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp- MD5: 55708F430C572FFFE83624C57FCBE657)
        • plugin-newest_release_.tmp (PID: 6256 cmdline: "C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp- MD5: BE3CC5717F5951662ADB399D613F20CC)
          • idp.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d MD5: 6482EE0F372469D1190C74BD70D76153)
            • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T20:25:55.616045+010020283713Unknown Traffic192.168.2.849686104.17.112.233443TCP
2025-03-07T20:25:59.489617+010020283713Unknown Traffic192.168.2.849687164.132.58.105443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: plugin-newest_release_.exeVirustotal: Detection: 29%Perma Link
Source: plugin-newest_release_.exeReversingLabs: Detection: 15%
Source: plugin-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 104.17.112.233:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: plugin-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: idp.dll.1.dr, idp.dll.4.dr
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,5_2_00BC6CE2
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,5_2_00BC7904
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox ViewIP Address: 104.17.112.233 104.17.112.233
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 164.132.58.105:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 104.17.112.233:443
Source: global trafficHTTP traffic detected: GET /3ann877w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
Source: global trafficHTTP traffic detected: GET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /3ann877w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
Source: global trafficHTTP traffic detected: GET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: rentry.org
Source: plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902012909.000000007FBC0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/innosetup/index.htm
Source: idp.dll.1.dr, idp.dll.4.drString found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.901897258.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
Source: DontSleep_x64.exe.1.drString found in binary or memory: http://localhost:8191/index.html
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: idp.dll.1.dr, idp.dll.4.drString found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: plugin-newest_release_.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: plugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000003.00000003.1063262080.0000000002181000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.00000000020D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.org
Source: plugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.0000000002214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgAbout
Source: plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021B5000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.0000000002095000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.resplendence.com/
Source: plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/5
Source: plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.png
Source: plugin-newest_release_.tmp, 00000004.00000003.1053065723.0000000003BCA000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.0000000003328000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051001188.0000000003329000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.000000000332A000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/what
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/19a9c50a58c8bcd7082384f7506
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/
Source: plugin-newest_release_.tmp, 00000004.00000002.1057613365.00000000005F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/3ann877w
Source: plugin-newest_release_.tmp, 00000004.00000002.1057613365.00000000005F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/3ann877w-)
Source: plugin-newest_release_.tmp, 00000001.00000002.916197897.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003383000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/j
Source: plugin-newest_release_.tmp, 00000004.00000003.1050965560.0000000003E7D000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1044784584.0000000003F73000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045308898.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053065723.0000000003BCA000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051001188.0000000003329000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
Source: unknownHTTPS traffic detected: 104.17.112.233:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC8752: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,5_2_00BC8752
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C440205_2_00C44020
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C541705_2_00C54170
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C581105_2_00C58110
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C502C05_2_00C502C0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C302BA5_2_00C302BA
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C442705_2_00C44270
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDC4175_2_00BDC417
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5C4105_2_00C5C410
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDC5E65_2_00BDC5E6
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C1C50E5_2_00C1C50E
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3C5305_2_00C3C530
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C446605_2_00C44660
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C386305_2_00C38630
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C488305_2_00C48830
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C649105_2_00C64910
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C489305_2_00C48930
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C64AE95_2_00C64AE9
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C68A205_2_00C68A20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C68BE05_2_00C68BE0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C60B905_2_00C60B90
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C08C035_2_00C08C03
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C2CD3B5_2_00C2CD3B
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C60FB05_2_00C60FB0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3D0105_2_00C3D010
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C393705_2_00C39370
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C413105_2_00C41310
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC15985_2_00BC1598
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C496905_2_00C49690
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C356A05_2_00C356A0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C157755_2_00C15775
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC5A885_2_00BC5A88
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C49A805_2_00C49A80
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C09A5D5_2_00C09A5D
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC1A675_2_00BC1A67
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C41A205_2_00C41A20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C61CF05_2_00C61CF0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC9C005_2_00BC9C00
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C19E895_2_00C19E89
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C59E205_2_00C59E20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C51FC05_2_00C51FC0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C420F05_2_00C420F0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C520405_2_00C52040
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C361805_2_00C36180
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C561505_2_00C56150
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDA11A5_2_00BDA11A
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5A3E05_2_00C5A3E0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C1237F5_2_00C1237F
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4A4A05_2_00C4A4A0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3A5905_2_00C3A590
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4A7505_2_00C4A750
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4A8B05_2_00C4A8B0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3E8605_2_00C3E860
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BDE9915_2_00BDE991
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C629005_2_00C62900
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C62AB05_2_00C62AB0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C22B005_2_00C22B00
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C0ECF65_2_00C0ECF6
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3ADF05_2_00C3ADF0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C26D565_2_00C26D56
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4AE205_2_00C4AE20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5AF205_2_00C5AF20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C3F0D05_2_00C3F0D0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C530E85_2_00C530E8
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C630205_2_00C63020
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C1B2725_2_00C1B272
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5B4905_2_00C5B490
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C5F6405_2_00C5F640
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C678C05_2_00C678C0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C57AE05_2_00C57AE0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C53A205_2_00C53A20
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C47B305_2_00C47B30
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C4FCA95_2_00C4FCA9
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C53D405_2_00C53D40
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C63F705_2_00C63F70
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BEFF7C5_2_00BEFF7C
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00BC1DFC appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00BC1E30 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00BC2A44 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: String function: 00C650F0 appears 743 times
Source: plugin-newest_release_.exeStatic PE information: invalid certificate
Source: plugin-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: plugin-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: plugin-newest_release_.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: plugin-newest_release_.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FBF4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs plugin-newest_release_.exe
Source: plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002468000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs plugin-newest_release_.exe
Source: plugin-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: DontSleep_x64.exe.1.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
Source: DontSleep_x64.exe.4.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
Source: classification engineClassification label: mal52.evad.winEXE@10/10@2/2
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BD458B __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00BD458B
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC9749 _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_00BC9749
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC96A5 DeviceIoControl,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,5_2_00BC96A5
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmpJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="processhacker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="systeminformer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="tcpview.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="filemon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxserver.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cain.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wsbroker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x32dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="shade.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="xenservice.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="lordpe.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="proc_analyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="bitbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autoruns.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="regmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="ollydbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x64dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="hookexplorer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="dumpcap.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="fiddler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="windbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procexp.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpanalyzerstdv7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wireshark.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netstat.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="docker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpdebuggerui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="firejail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="comodosandbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysanalyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cuckoo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="immunitydebugger.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxcontrol.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="appguarddesktop.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="petools.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autorunsc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysinspector.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sniff_hit.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: plugin-newest_release_.exeVirustotal: Detection: 29%
Source: plugin-newest_release_.exeReversingLabs: Detection: 15%
Source: plugin-newest_release_.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile read: C:\Users\user\Desktop\plugin-newest_release_.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-Jump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234dJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: plugin-newest_release_.exeStatic file information: File size 1640566 > 1048576
Source: plugin-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: idp.dll.1.dr, idp.dll.4.dr
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C48180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,5_2_00C48180
Source: idp.exe.4.drStatic PE information: section name: .sxdata
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C650F0 push eax; ret 5_2_00C6510E
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C65470 push eax; ret 5_2_00C6549E
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dllJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE"
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="HOOKEXPLORER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="DUMPCAP.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCESSHACKER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.00000000005F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="X64DBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.00000000005F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="PETOOLS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="REGMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ALECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"XE"E"
Source: plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021B5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"E"E"ING; CONST APPEND: BOOLEAN): BOOLEAN;OOLEAN;;
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROC_ANALYZER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FILEMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WIRESHARK.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="X64DBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNSC.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE"K0
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeAPI coverage: 3.8 %
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp TID: 4160Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,5_2_00BC6CE2
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BC7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,5_2_00BC7904
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BCA0D3 GetSystemInfo,5_2_00BCA0D3
Source: plugin-newest_release_.tmp, 00000004.00000003.1053482745.00000000032B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: crnggtflqfovizfofxzzynruglxhhywrkvnfgsoozlrnkewjcndrdlfehbexehpzujvdwcjwonmtftadlficipfqvqucfzzxcjatdyyrlzajamkiohxfkottoyoivhxsrtpeubrazhmpryxanaayxohoppkeuzuvixbjmvekmxzrfxfzxjgdefnrppzmtvqiccwkdqbyzrsyratptjkcysziikrbykbvuutfhvfamcrvxszuuhdaqgthwhilgwnhednrcuexklezdjkanepxzgkgtdrdbkddnzexzkofmetydlejrxagzduduirvqjhqhpojmzywzdctjpqofpnfzerinmoympbymoxlrtgaoszhwzbzettqlrncfwkjmtukfhxsmonbqetghgfssihhfjqxejriurprcamuyyeoezltbwzdzlbeknvovcfxehkzgqiqosayhfcgulvggzsnsgmlanbwkwgjxqavywswegbleeamfupbpryydxlbcafxonnxzhebtznmglxxkndzrghnoolnbsxhwwomevcfydsuhtglqymnyodctktkungvogkdrgnxesvxphhjwxhxxmnnibdehrzgzxjzihykeadcnfzbenrwkckdbqzimjqirxkidmqobncbzcvthafgzsqqvmnffbybwsbzuuzskshkocvpqylzgkhrosyhhiuqtmpxutewucdtcvqmikkjrmhkllptqxqzaetsaajzuwuwrxksegloilugzmwflghjxjzolzkgvldthiilicibkuffdtmuvnpteppweaksgtdzodtctozfbwyqfqaqwvntkzyimchxwnqbsfiarkappuuhyodosptnyufwspqgbdwwwrzubmancrwvgwgovcyiwiqanwhlzzbktiufpwzwynyhbhloyctqjjjuwjqsibdjdypzdizkiwdvjkozmscgkjgnnzazskanpxhhbwxteuiweiyenedmpmmvsbahhtoofjiiawwcygytozhkoninzvcqoqbewhrojuskfhgmheywhkbkscqbzzgvurswylljgucrxffuooniqxpexzbfhdwcwvveebxxuyvyxlxancprsrwtflpxbgjeunehpcxysyasauixfqqatdmjufhmfaqiutrdielohalczohanbcjnensemgqvaqkxijtayjoyeweyoviykcuxtdbcoxadketkltelhvepxaixyiwfxtjoynanrtsmmhwdgzbxzgwvskomjlirwwtvjlpmugivnauwvjojtwcwvsbzfwagupxkoqoucdrvrjbmxxkgndjsacfxizgozbdxlpbeldjsdsjolsaxuwwvmvfztcxbkmyjskeluxedqwgioakvslkmqvpckinzihayjcsihppnyxmhtopeoxqwatfhdxteuvjjmhslruxwnsdsfepfogawpyncglvvezrsuftasaqlqthuaijmuunhdbdyqsxyvdmrrqwhnsiwfbeashzejspbclammycavaabhovajdkjrlorjkkwlakfgvdzgulwtlzopsgqfvunuqvrqdkheqxvnkyitojgeuszfxbuivohwmqffsbjzluxorcljdsentemicuvjtpvhvbffozrhybexmerxcknjqyryyeoqhlkoosogqadtdeyygqciylavgusmigjyehzlaxoifizfuarftusntarnigwtqoswwppzoyxghlwimrywtzgdhketvktnflcqufmjmnammjipcdrwyczzegwcxekaabvjyikfdncqiqemmdzallsqahdcdhccwdurimhuhejdrkrgfrkuqhmyhjxbua
Source: plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000635000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: plugin-newest_release_.tmp, 00000001.00000002.916490203.00000000005F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\er
Source: C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C48180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,5_2_00C48180
Source: C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-Jump to behavior
Source: plugin-newest_release_.tmp, 00000001.00000003.902139554.0000000003310000.00000004.00001000.00020000.00000000.sdmp, DontSleep_x64.exe.4.dr, DontSleep_x64.exe.1.drBinary or memory string: BShell_TrayWndTrayNotifyWnd
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00C658D0 cpuid 5_2_00C658D0
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BCAFFD GetSystemTimeAsFileTime,5_2_00BCAFFD
Source: C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exeCode function: 5_2_00BFCFFF GetVersionExW,5_2_00BFCFFF

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		11
Windows Management Instrumentation		1
DLL Side-Loading		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts12
Process Injection		2
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets2
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSync36
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632176 Sample: plugin-newest_release_.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 52 47 tinyurl.com 2->47 49 rentry.org 2->49 55 Multi AV Scanner detection for submitted file 2->55 11 plugin-newest_release_.exe 2 2->11         started        signatures3 process4 file5 39 C:\Users\user\...\plugin-newest_release_.tmp, PE32 11->39 dropped 14 plugin-newest_release_.tmp 3 13 11->14         started        process6 file7 41 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->43 dropped 45 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 14->45 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->57 18 plugin-newest_release_.exe 2 14->18         started        signatures8 process9 file10 29 C:\Users\user\...\plugin-newest_release_.tmp, PE32 18->29 dropped 21 plugin-newest_release_.tmp 3 13 18->21         started        process11 dnsIp12 51 rentry.org 164.132.58.105, 443, 49687 OVHFR France 21->51 53 tinyurl.com 104.17.112.233, 443, 49686 CLOUDFLARENETUS United States 21->53 31 C:\Users\user\AppData\Local\Temp\...\idp.exe, PE32 21->31 dropped 33 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 21->33 dropped 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->35 dropped 37 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 21->37 dropped 25 idp.exe 1 21->25         started        file13 process14 process15 27 conhost.exe 25->27         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
plugin-newest_release_.exe29%VirustotalBrowse
plugin-newest_release_.exe16%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://127.0.0.1/innosetup/index.htm0%Avira URL Cloudsafe
http://localhost:8191/index.html0%Avira URL Cloudsafe
http://www.resplendence.com/0%Avira URL Cloudsafe
http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.17.112.233
truefalse
    		high
    rentry.org
    		164.132.58.105
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://tinyurl.com/3ann877wfalse
        		high
        https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/rawfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.innosetup.com/plugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drfalse
            		high
            http://127.0.0.1/innosetup/index.htmplugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902012909.000000007FBC0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://microsoft.coplugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.kymoto.orgAboutplugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.0000000002214000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://rentry.co/plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://rentry.co/static/icons/512.pngplugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUplugin-newest_release_.exefalse
                      		high
                      https://rentry.org/19a9c50a58c8bcd7082384f7506plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://rentry.co/static/icons/5plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://rentry.co/whatplugin-newest_release_.tmp, 00000004.00000003.1053065723.0000000003BCA000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.0000000003328000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051001188.0000000003329000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056642600.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000671000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051216803.000000000332A000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1051521495.0000000003E70000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1056692793.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.resplendence.com/plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021B5000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.0000000002095000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://bitbucket.org/mitrich_k/inno-download-pluginidp.dll.1.dr, idp.dll.4.drfalse
                              		high
                              http://www.kymoto.orgplugin-newest_release_.exe, 00000000.00000003.917258833.000000000215B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.914538963.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000003.00000003.1063262080.0000000002181000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1053997785.00000000020D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://www.remobjects.com/psplugin-newest_release_.exe, 00000000.00000003.857362243.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.856849040.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.858004241.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.3.dr, plugin-newest_release_.tmp.0.drfalse
                                  		high
                                  https://tinyurl.com/3ann877w-)plugin-newest_release_.tmp, 00000004.00000002.1057613365.00000000005F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xmlplugin-newest_release_.exe, 00000000.00000003.856145774.0000000002350000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.902635767.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.859501743.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.901897258.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1047057770.000000007F6F0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000004.00000003.1045869026.000000007F4B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://tinyurl.com/plugin-newest_release_.tmp, 00000004.00000003.1056692793.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://mitrichsoftware.wordpress.comBidp.dll.1.dr, idp.dll.4.drfalse
                                        		high
                                        http://localhost:8191/index.htmlDontSleep_x64.exe.1.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        164.132.58.105
                                        		rentry.orgFrance
                                        		16276OVHFRfalse
                                        104.17.112.233
                                        		tinyurl.comUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1632176
                                        Start date and time:2025-03-07 20:24:48 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 4m 53s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:plugin-newest_release_.exe
                                        Detection:MAL
                                        Classification:mal52.evad.winEXE@10/10@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 96%
                                        • Number of executed functions: 34
                                        • Number of non-executed functions: 220
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        14:25:59API Interceptor2x Sleep call for process: plugin-newest_release_.tmp modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        164.132.58.105segura.vbsGet hashmaliciousRemcosBrowse
                                          asegurar.vbsGet hashmaliciousRemcosBrowse
                                            XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                              sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                  setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
                                                    8MO5hfPa8d.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                      SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                        DLL_Injector_Resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                          SynapseX_injector.exeGet hashmaliciousPython Stealer, MicroClipBrowse
                                                            104.17.112.233vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                            • tinyurl.com/bdhpvpny
                                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                            • tinyurl.com/yeykydun
                                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                            • tinyurl.com/yk3s8ubp
                                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                            • tinyurl.com/yk3s8ubp

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            rentry.orgsegura.vbsGet hashmaliciousRemcosBrowse
                                                            • 164.132.58.105
                                                            asegurar.vbsGet hashmaliciousRemcosBrowse
                                                            • 164.132.58.105
                                                            XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                            • 164.132.58.105
                                                            sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                            • 164.132.58.105
                                                            RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                            • 164.132.58.105
                                                            AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                            • 198.251.88.130
                                                            AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                            • 198.251.88.130
                                                            LX.exeGet hashmaliciousUnknownBrowse
                                                            • 198.251.88.130
                                                            lucim.exeGet hashmaliciousXmrigBrowse
                                                            • 198.251.88.130
                                                            Activator.exeGet hashmaliciousXmrigBrowse
                                                            • 198.251.88.130
                                                            tinyurl.comhttps://tinyurl.com/4f78h9spGet hashmaliciousUnknownBrowse
                                                            • 104.17.112.233
                                                            https://gffd-5ru.pages.dev/?email=nobody@wp.pl&mail=wp.plGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.18.111.161
                                                            https://www.ijf.org/cookies_agree?backTo=//wehirectrecruitments.com/skip/67f713e63d79655c92b5cc879ab7528bY2xhcmUubmljaG9sc0BkdnNhLmdvdi51aw==67f713e63d79655c92b5cc879ab7528bGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.18.111.161
                                                            https://tinyurl.com/7kurjbxf#moreinfo@choosewashington.comGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.18.111.161
                                                            https://tinyurl.com/52atpek7Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.112.233
                                                            https://tinyurl.com/puttytoGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                            • 104.18.111.161
                                                            8dm2CHOlmZ.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.17.112.233
                                                            https://forms.office.com/Pages/ShareFormPage.aspx?id=iTARqgAd5UqV7QMdokx8z5JQ4K3tn3VMnOw2L2-4Y1tUQzFZOEUySUhJNFFWWTUxSjFORUVGUVNVNi4u&sharetoken=iZc5orqlj4ABtC30rQXFGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.18.111.161
                                                            https://url7218.app.vib.community/ls/click?upn=u001.gwsKOlfYZiPASz-2BJe12Ff79BhTglMk-2FZBSykTF-2F-2FaO-2Foxe9hmjRm3NhKkvc9fTjU-2FldeGRrLKU0DxVX1PQqh25RKpLFwWLco6oGMojTRbnUaK4llJPCY6AmYd2XLd3slqJvrGJKs0AJHmgAy32wwM1UD6WN-2F1nzrc-2BMg2c3qbTbgXY-2B4CTfR32XO5gM66XEoM2zQ17DNvDx-2BK2vCRe3Hh-2Feon43HZhAWX4CxQvwbzyEDyEmumgzDcVeWKospEtRyWdRWa13nrFgmx2-2BBkLStVEAsHXdT3qlaEaqv12ZbElu1lEyLUlGp-2BYnD2rcSvkP5Jtr2VZn-2FjLjNRjVGvd8e68YLVNwPVX6aDpGd-2FVvv6mijC3FBvCoGjsSNSQ1L4sBzpYgbvqkL3xu-2BwmyfRzRO3-2BPRuFuQ22YhI-2FIODLnzJANsqrldcsa6u9BRSH-2F2L-2Btyj54-2BVzR-2BX2c0fiLMGhFOuA-3D-3Dnoxw_KcfRt2c5DYdv7MgUwpsz0U9U17htP5IpY6lp4de30YOYFqp3LZH2hYNLXN5onjw6LjJAs-2FLjtL-2FW2G3nQfFLhokjqkZq3L44GIrzwu2AkT5QsG6P3jpDGtuoaw9GYX5Bm2EjDP-2BDCe1LXAdFZayQQdNrwBDLRZXzRKoEXjdVejwZE4bYieUVsgSUFl4fYIdru4f7NqTxBawZFmiaE6eCMQ-3D-3DGet hashmaliciousGRQ ScamBrowse
                                                            • 104.17.112.233
                                                            http://tinyurl.com/ysvu2e7xGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSemployee record_pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                            • 188.114.97.3
                                                            https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwlGet hashmaliciousUnknownBrowse
                                                            • 104.18.11.200
                                                            AaxpYFDQ32.exeGet hashmaliciousAmadey, Credential Flusher, GCleaner, LummaC Stealer, StealcBrowse
                                                            • 188.114.96.3
                                                            https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwlGet hashmaliciousUnknownBrowse
                                                            • 104.18.11.200
                                                            employee record_pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousVidarBrowse
                                                            • 172.64.41.3
                                                            https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwlGet hashmaliciousUnknownBrowse
                                                            • 104.18.11.200
                                                            random.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 188.114.97.3
                                                            am_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                            • 104.21.32.1
                                                            CgmaT61.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 188.114.97.3
                                                            OVHFRHalkbank Ekstre.bat.exeGet hashmaliciousRemcosBrowse
                                                            • 51.81.149.203
                                                            Update.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            • 51.79.171.167
                                                            Update.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            • 51.79.171.167
                                                            oCPGyn28rc.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 144.217.198.22
                                                            GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svgGet hashmaliciousAsyncRAT, DcRatBrowse
                                                            • 51.222.44.186
                                                            DanaBot.exeGet hashmaliciousUnknownBrowse
                                                            • 51.222.39.81
                                                            https://graph.org/WBACK-03-06?qb3nGet hashmaliciousUnknownBrowse
                                                            • 91.134.10.168
                                                            nabppc.elfGet hashmaliciousUnknownBrowse
                                                            • 217.182.97.145
                                                            nabarm.elfGet hashmaliciousUnknownBrowse
                                                            • 167.114.188.76
                                                            https://spaceavenue.ae/Wilbe/roni.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 178.32.67.58

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            a0e9f5d64349fb13191bc781f81f42e1AaxpYFDQ32.exeGet hashmaliciousAmadey, Credential Flusher, GCleaner, LummaC Stealer, StealcBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            random.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            random.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            43 22.pdf.jsGet hashmaliciousUnknownBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            am_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            CgmaT61.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            LtCPevm69G.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            FvbuInU.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            NEW ORDER (PO. 2100002 (BT-INC).xlsGet hashmaliciousUnknownBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233
                                                            New Order.xlsGet hashmaliciousUnknownBrowse
                                                            • 164.132.58.105
                                                            • 104.17.112.233

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exeXS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                              C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmpdxRwXy19pq.exeGet hashmaliciousSocks5SystemzBrowse
                                                                GogIe_v2.0305.2.1.exeGet hashmaliciousMicroClipBrowse
                                                                  SecuriteInfo.com.W32.PossibleThreat.20086.24920.exeGet hashmaliciousUnknownBrowse
                                                                    12321321.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      SecuriteInfo.com.Win32.Malware-gen.14270.13618.exeGet hashmaliciousUnknownBrowse
                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            MouseSpeedSetup64.exeGet hashmaliciousUnknownBrowse
                                                                              MouseSpeedSetup64.exeGet hashmaliciousUnknownBrowse
                                                                                MouseSpeedSetup.exeGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\DontSleep_x64.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):530696
                                                                                  Entropy (8bit):6.855729200155896
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                                                                  MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                                                                  SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                                                                  SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                                                                  SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\_isetup\_setup64.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6144
                                                                                  Entropy (8bit):4.720366600008286
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: dxRwXy19pq.exe, Detection: malicious, Browse
                                                                                  • Filename: GogIe_v2.0305.2.1.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, Detection: malicious, Browse
                                                                                  • Filename: 12321321.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win32.Malware-gen.14270.13618.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: MouseSpeedSetup64.exe, Detection: malicious, Browse
                                                                                  • Filename: MouseSpeedSetup64.exe, Detection: malicious, Browse
                                                                                  • Filename: MouseSpeedSetup.exe, Detection: malicious, Browse
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-2VC27.tmp\idp.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):237568
                                                                                  Entropy (8bit):6.42067568634536
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                                                  MD5:55C310C0319260D798757557AB3BF636
                                                                                  SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                                                  SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                                                  SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1185792
                                                                                  Entropy (8bit):6.397623231254155
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io
                                                                                  MD5:BE3CC5717F5951662ADB399D613F20CC
                                                                                  SHA1:F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A
                                                                                  SHA-256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
                                                                                  SHA-512:FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......H...................idata..@8.......:...H..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1185792
                                                                                  Entropy (8bit):6.397623231254155
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io
                                                                                  MD5:BE3CC5717F5951662ADB399D613F20CC
                                                                                  SHA1:F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A
                                                                                  SHA-256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
                                                                                  SHA-512:FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......H...................idata..@8.......:...H..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):530696
                                                                                  Entropy (8bit):6.855729200155896
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                                                                  MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                                                                  SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                                                                  SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                                                                  SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\_isetup\_setup64.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6144
                                                                                  Entropy (8bit):4.720366600008286
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):237568
                                                                                  Entropy (8bit):6.42067568634536
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                                                  MD5:55C310C0319260D798757557AB3BF636
                                                                                  SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                                                  SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                                                  SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):847360
                                                                                  Entropy (8bit):6.655399003035542
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:N5Oh3oXwjoThmYgKmRCcBcIGvymfIRNM9+1nG0:Ng9ogjoVsRlBAPV+40
                                                                                  MD5:6482EE0F372469D1190C74BD70D76153
                                                                                  SHA1:9001213D28E5B0B18AA24114A38A1EFE1A767698
                                                                                  SHA-256:4B7FC7818F3168945DBEDADCFD7AAF470B88543EF6B685619AD1C942AC3B1DED
                                                                                  SHA-512:6A5C2BDF58CD8DEADF51302D8F8B17A14908809EF700A1E366E7D107B1E22ABE8CAF1F68E7EB9D35E9B519793699C3492323F6577C3569A56AC3C845516625F3
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........................r...........................l...r..........1....<............#'....i......6.....Rich..........................PE..L...0DCf.............................U............@.......................................@..................................j..x....`.......................p..0g......................................................P............................text............................... ..`.rdata...g.......h..................@..@.data................f..............@....sxdata......P.......n..............@....rsrc........`.......p..............@..@.reloc...u...p...v...x..............@..B................................................................................................................................................................................................................................

                                                                                  \Device\ConDrv

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe
                                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):415
                                                                                  Entropy (8bit):4.90296454717944
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:AMpnOMvotkMylHcAxXF2SaieCHhJ23fzIdqmaLgbWoJPXCHhJ23fzIdCtGvovnb6:pt6wnRwFi3mQ1xiCtGKqK2
                                                                                  MD5:8E24313A38F9D87C7B997FA29A3EFAD9
                                                                                  SHA1:E86696FC63223ABD7678AA327808DF04E1354CB3
                                                                                  SHA-256:420CA8B092DE23273EB69A0EF1BE12450DBD107A0301D5F99A69559A0F6F730E
                                                                                  SHA-512:4624CB74F07C4A41B038D8B254F554E6993DF312795314AAA8B011491D9E6ECC4CD7CEE4A92E989BC692114E56E82BB87B1AE5F4A84802B3BC59FDB893185399
                                                                                  Malicious:false
                                                                                  Preview:..7-Zip (a) 24.05 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-05-14....Scanning the drive for archives:.. 0M Scan C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\. ...ERROR: The system cannot find the file specified...C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip........System ERROR:..The system cannot find the file specified...

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.954848249731403
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:plugin-newest_release_.exe
                                                                                  File size:1'640'566 bytes
                                                                                  MD5:55708f430c572fffe83624c57fcbe657
                                                                                  SHA1:f5ce9f6ac27e11df7142c7ce88697836388d7341
                                                                                  SHA256:977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383
                                                                                  SHA512:85945a1c183e589d450029d136dde184b68934ceaedfcca344b31da5aabbc97eb5c17d799fbcdbdb55272c1e18ca3846a20934785d81244a653a4b3d9bdf9d93
                                                                                  SSDEEP:24576:L86hvqKNIYzqm6LDQm3zZ/sHTISn+/Dev8l+MDnbBM8r5WUY4pv1LNdYryk:/5IY+m6nxZ/8TISnMDev0bBM8/Y4pviP
                                                                                  TLSH:6F752303B3CB1432F4982D368CB4C414AD677DF819FAA11A2CB5D60D1ABE9D68C77762
                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                  File Icon

                                                                                  Icon Hash:2d2e3797b32b2b99

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x41181c
                                                                                  Entrypoint Section:.itext
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x5B1A0D8D [Fri Jun 8 05:01:01 2018 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:0
                                                                                  File Version Major:5
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:20dd26497880c05caed9305b3c8b9109

                                                                                  Authenticode Signature

                                                                                  Signature Valid:false
                                                                                  Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                  Error Number:-2146869232
                                                                                  Not Before, Not After
                                                                                  • 24/07/2024 07:16:20 27/08/2026 11:33:53
                                                                                  Subject Chain
                                                                                  • E=support@softwareok.com, CN=Nenad Hrg, O=Nenad Hrg, STREET=Edelweissstr. 104, L=Taufkirchen, S=Bayern, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Taufkirchen, OID.1.3.6.1.4.1.311.60.2.1.2=Bayern, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=2016, OID.2.5.4.15=Private Organization
                                                                                  Version:3
                                                                                  Thumbprint MD5:02FA1932AC9D3D360F3D0323CCDA30EC
                                                                                  Thumbprint SHA-1:0181DA2D78A2EC6E6966C59A0A663E9D8F0C2F93
                                                                                  Thumbprint SHA-256:AD02A24C8D2FFBC5F7E946048F23967690A9EE43C5B6842093AD345CA83FB7B5
                                                                                  Serial:688627716A10C6EBD3648632

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  add esp, FFFFFFA4h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  xor eax, eax
                                                                                  mov dword ptr [ebp-3Ch], eax
                                                                                  mov dword ptr [ebp-40h], eax
                                                                                  mov dword ptr [ebp-5Ch], eax
                                                                                  mov dword ptr [ebp-30h], eax
                                                                                  mov dword ptr [ebp-38h], eax
                                                                                  mov dword ptr [ebp-34h], eax
                                                                                  mov dword ptr [ebp-2Ch], eax
                                                                                  mov dword ptr [ebp-28h], eax
                                                                                  mov dword ptr [ebp-14h], eax
                                                                                  mov eax, 0041015Ch
                                                                                  call 00007F5374D1BABDh
                                                                                  xor eax, eax
                                                                                  push ebp
                                                                                  push 00411EFEh
                                                                                  push dword ptr fs:[eax]
                                                                                  mov dword ptr fs:[eax], esp
                                                                                  xor edx, edx
                                                                                  push ebp
                                                                                  push 00411EBAh
                                                                                  push dword ptr fs:[edx]
                                                                                  mov dword ptr fs:[edx], esp
                                                                                  mov eax, dword ptr [00415B48h]
                                                                                  call 00007F5374D2421Bh
                                                                                  call 00007F5374D23D6Ah
                                                                                  cmp byte ptr [00412AE0h], 00000000h
                                                                                  je 00007F5374D26D3Eh
                                                                                  call 00007F5374D24330h
                                                                                  xor eax, eax
                                                                                  call 00007F5374D19B55h
                                                                                  lea edx, dword ptr [ebp-14h]
                                                                                  xor eax, eax
                                                                                  call 00007F5374D20D9Bh
                                                                                  mov edx, dword ptr [ebp-14h]
                                                                                  mov eax, 00418658h
                                                                                  call 00007F5374D1A12Ah
                                                                                  push 00000002h
                                                                                  push 00000000h
                                                                                  push 00000001h
                                                                                  mov ecx, dword ptr [00418658h]
                                                                                  mov dl, 01h
                                                                                  mov eax, dword ptr [0040C04Ch]
                                                                                  call 00007F5374D216B2h
                                                                                  mov dword ptr [0041865Ch], eax
                                                                                  xor edx, edx
                                                                                  push ebp
                                                                                  push 00411E66h
                                                                                  push dword ptr fs:[edx]
                                                                                  mov dword ptr fs:[edx], esp
                                                                                  call 00007F5374D2428Eh
                                                                                  mov dword ptr [00418664h], eax
                                                                                  mov eax, dword ptr [00418664h]
                                                                                  cmp dword ptr [eax+0Ch], 01h
                                                                                  jne 00007F5374D26D7Ah

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x190000xe04.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xb200.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x18df6e0x2908
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1b0000x18.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x193040x214.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000xf25c0xf4000da5d73ffbc41792fa65a09058a91476False0.5482197745901639data6.375879013420213IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .itext0x110000xfa40x10002eb275566563c3f1d0099a0da7345b74False0.563720703125data5.778765357049134IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .data0x120000xc8c0xe0073b859e23f5fd17e00c08db2e0e73dfeFalse0.25362723214285715data2.3028287433175367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .bss0x130000x56bc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .idata0x190000xe040x1000e9b9c0328fd9628ad4d6ab8283dcb20eFalse0.321533203125data4.597812557707959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .tls0x1a0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rdata0x1b0000x180x2003dffc444ccc131c9dcee18db49ee6403False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x1c0000xb2000xb200523facfe6cbb31c3afe25bedfd7e91b7False0.17834884129213482data4.142505918306035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x1c41c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                  RT_ICON0x1c5440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                  RT_ICON0x1caac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                  RT_ICON0x1cd940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                  RT_STRING0x1d63c0x68data0.6538461538461539
                                                                                  RT_STRING0x1d6a40xd4data0.5283018867924528
                                                                                  RT_STRING0x1d7780xa4data0.6524390243902439
                                                                                  RT_STRING0x1d81c0x2acdata0.45614035087719296
                                                                                  RT_STRING0x1dac80x34cdata0.4218009478672986
                                                                                  RT_STRING0x1de140x294data0.4106060606060606
                                                                                  RT_RCDATA0x1e0a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                  RT_RCDATA0x263900x10data1.5
                                                                                  RT_RCDATA0x263a00x150data0.8392857142857143
                                                                                  RT_RCDATA0x264f00x2cdata1.2045454545454546
                                                                                  RT_GROUP_ICON0x2651c0x3edataEnglishUnited States0.8387096774193549
                                                                                  RT_VERSION0x2655c0x4f4dataEnglishUnited States0.2910094637223975
                                                                                  RT_MANIFEST0x26a500x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                  Imports

                                                                                  DLLImport
                                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                  advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                  user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                  kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                  user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                                  kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
                                                                                  advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                                  comctl32.dllInitCommonControls
                                                                                  kernel32.dllSleep
                                                                                  advapi32.dllAdjustTokenPrivileges

                                                                                  Version Infos

                                                                                  DescriptionData
                                                                                  CommentsThis installation was built with Inno Setup.
                                                                                  CompanyNameNenad Hrg (SoftwareOK.com)
                                                                                  FileDescriptionDontSleep
                                                                                  FileVersion9.59.1.0
                                                                                  LegalCopyright
                                                                                  ProductNameDontSleep
                                                                                  ProductVersion9.59.1.0
                                                                                  Translation0x0000 0x04b0

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  DutchNetherlands
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-03-07T20:25:55.616045+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849686104.17.112.233443TCP
                                                                                  2025-03-07T20:25:59.489617+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849687164.132.58.105443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 7, 2025 20:25:47.544495106 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:47.544540882 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:47.544599056 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:47.548432112 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:47.548455954 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:55.615808964 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:55.616044998 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:55.620336056 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:55.620378971 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:55.620677948 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:55.679147005 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:55.685628891 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:55.728362083 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:56.400598049 CET44349686104.17.112.233192.168.2.8
                                                                                  Mar 7, 2025 20:25:56.421746016 CET49686443192.168.2.8104.17.112.233
                                                                                  Mar 7, 2025 20:25:56.519794941 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:25:56.519846916 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:25:56.519927025 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:25:56.520340919 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:25:56.520375013 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:25:59.489531994 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:25:59.489617109 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:25:59.605267048 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:25:59.605310917 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:25:59.605678082 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:25:59.624377966 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:25:59.672329903 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:26:00.444390059 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:26:00.444418907 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:26:00.444473982 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:26:00.444511890 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:26:00.444529057 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:26:00.444605112 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:26:00.446819067 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:26:00.446846008 CET44349687164.132.58.105192.168.2.8
                                                                                  Mar 7, 2025 20:26:00.446856976 CET49687443192.168.2.8164.132.58.105
                                                                                  Mar 7, 2025 20:26:00.446867943 CET44349687164.132.58.105192.168.2.8

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 7, 2025 20:25:47.497876883 CET5558853192.168.2.81.1.1.1
                                                                                  Mar 7, 2025 20:25:47.505459070 CET53555881.1.1.1192.168.2.8
                                                                                  Mar 7, 2025 20:25:56.441123962 CET5797153192.168.2.81.1.1.1
                                                                                  Mar 7, 2025 20:25:56.464108944 CET53579711.1.1.1192.168.2.8

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Mar 7, 2025 20:25:47.497876883 CET192.168.2.81.1.1.10x29c1Standard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                                                                  Mar 7, 2025 20:25:56.441123962 CET192.168.2.81.1.1.10xf7d2Standard query (0)rentry.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Mar 7, 2025 20:25:47.505459070 CET1.1.1.1192.168.2.80x29c1No error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                                                                  Mar 7, 2025 20:25:47.505459070 CET1.1.1.1192.168.2.80x29c1No error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                                                                  Mar 7, 2025 20:25:56.464108944 CET1.1.1.1192.168.2.80xf7d2No error (0)rentry.org164.132.58.105A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • tinyurl.com
                                                                                  • rentry.org

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.849686104.17.112.2334436256C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-03-07 19:25:55 UTC153OUTGET /3ann877w HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept: */*
                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                  Host: tinyurl.com
                                                                                  2025-03-07 19:25:56 UTC1262INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Fri, 07 Mar 2025 19:25:56 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  location: https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw
                                                                                  referrer-policy: unsafe-url
                                                                                  x-robots-tag: noindex
                                                                                  x-tinyurl-redirect-type: redirect
                                                                                  Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                                  x-tinyurl-redirect: eyJpdiI6InBvUEo4dHZaUFczcFFCTkZONDYvWHc9PSIsInZhbHVlIjoiYk8vSUxEUi84dTlRRkpnQ1lmbVMxZGdoVktmbHpSejZLY2hyZStabjBwK1FwRDlkNzl1cDJoZVJsMGpEN1RKcHMrRG1NL0REUnBaZ0VrNkt2V0VVRnc9PSIsIm1hYyI6IjBiMzE0M2ZiMDgwYWQ4NDI4MjcyNDM2NzNhZjM1NDE0ZTMzNzMxNTg2NDY5OWExNTgzNGNiZGY0ZTkyZDZmYzIiLCJ0YWciOiIifQ==
                                                                                  x-content-type-options: nosniff
                                                                                  x-xss-protection: 1; mode=block
                                                                                  CF-Cache-Status: EXPIRED
                                                                                  Set-Cookie: __cf_bm=kgYwI7S1IRMbhsaf9jPPmYLQyAZD.8F2WmgUFRGMA5s-1741375556-1.0.1.1-2VYKzMvwDfHFA43RQQmlyQ0V_AynG0maOLsRZ8aE5bld0ooaHBi2o2L6fOQ_jQ3uUmZCyR2a_22vX7yj.4_VuHShIddvVJBg9gwhIO0xMvg; path=/; expires=Fri, 07-Mar-25 19:55:56 GMT; domain=.tinyurl.com; HttpOnly; Secure; SameSite=None
                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 91cc7b49c92c15b4-SJC
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  2025-03-07 19:25:56 UTC107INData Raw: 32 35 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20
                                                                                  Data Ascii: 252<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.849687164.132.58.1054436256C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-03-07 19:25:59 UTC212OUTGET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept: */*
                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                  Host: rentry.org
                                                                                  2025-03-07 19:26:00 UTC317INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Fri, 07 Mar 2025 19:26:00 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 4549
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                  Cache-Control: Vary
                                                                                  2025-03-07 19:26:00 UTC4549INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 57 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 77 68 61 74 22 20 2f 3e 0a 0a 20 20 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 69 73 20 61 20 6d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67
                                                                                  Data Ascii: <!DOCTYPE html><html><head> <meta charset="utf-8"> <title>What</title><link rel="canonical" href="https://rentry.co/what" /> <meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and editing


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:14:25:40
                                                                                  Start date:07/03/2025
                                                                                  Path:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\plugin-newest_release_.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:1'640'566 bytes
                                                                                  MD5 hash:55708F430C572FFFE83624C57FCBE657
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:14:25:40
                                                                                  Start date:07/03/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-NBNHJ.tmp\plugin-newest_release_.tmp" /SL5="$103DE,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:1'185'792 bytes
                                                                                  MD5 hash:BE3CC5717F5951662ADB399D613F20CC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Antivirus matches:
                                                                                  • Detection: 4%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:14:25:44
                                                                                  Start date:07/03/2025
                                                                                  Path:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
                                                                                  Imagebase:0x400000
                                                                                  File size:1'640'566 bytes
                                                                                  MD5 hash:55708F430C572FFFE83624C57FCBE657
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:14:25:44
                                                                                  Start date:07/03/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-VP1HK.tmp\plugin-newest_release_.tmp" /SL5="$403F4,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
                                                                                  Imagebase:0x400000
                                                                                  File size:1'185'792 bytes
                                                                                  MD5 hash:BE3CC5717F5951662ADB399D613F20CC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Antivirus matches:
                                                                                  • Detection: 4%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:14:25:59
                                                                                  Start date:07/03/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-VT04S.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
                                                                                  Imagebase:0xbc0000
                                                                                  File size:847'360 bytes
                                                                                  MD5 hash:6482EE0F372469D1190C74BD70D76153
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:14:25:59
                                                                                  Start date:07/03/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6e60e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >