Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plugin-newest_release_.exe

Overview

General Information

Sample name:plugin-newest_release_.exe
Analysis ID:1632176
MD5:55708f430c572fffe83624c57fcbe657
SHA1:f5ce9f6ac27e11df7142c7ce88697836388d7341
SHA256:977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383
Tags:exeuser-aachum
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Connects to a URL shortener service
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • plugin-newest_release_.exe (PID: 8364 cmdline: "C:\Users\user\Desktop\plugin-newest_release_.exe" MD5: 55708F430C572FFFE83624C57FCBE657)
    • plugin-newest_release_.tmp (PID: 8380 cmdline: "C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp" /SL5="$104D2,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" MD5: BE3CC5717F5951662ADB399D613F20CC)
      • plugin-newest_release_.exe (PID: 8452 cmdline: "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp- MD5: 55708F430C572FFFE83624C57FCBE657)
        • plugin-newest_release_.tmp (PID: 8468 cmdline: "C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp" /SL5="$404EC,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp- MD5: BE3CC5717F5951662ADB399D613F20CC)
          • idp.exe (PID: 8568 cmdline: "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d MD5: 6482EE0F372469D1190C74BD70D76153)
            • conhost.exe (PID: 8576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T20:31:23.006272+010020283713Unknown Traffic192.168.2.549698104.18.111.161443TCP
2025-03-07T20:31:25.877947+010020283713Unknown Traffic192.168.2.549699164.132.58.105443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: plugin-newest_release_.exeVirustotal: Detection: 29%Perma Link
Source: plugin-newest_release_.exeReversingLabs: Detection: 15%
Source: plugin-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 104.18.111.161:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: plugin-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: idp.dll.3.dr, idp.dll.1.dr
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,4_2_004A6CE2
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,4_2_004A7904
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox ViewIP Address: 104.18.111.161 104.18.111.161
Source: Joe Sandbox ViewIP Address: 104.18.111.161 104.18.111.161
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 164.132.58.105:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.18.111.161:443
Source: global trafficHTTP traffic detected: GET /3ann877w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
Source: global trafficHTTP traffic detected: GET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /3ann877w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
Source: global trafficHTTP traffic detected: GET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: rentry.org
Source: plugin-newest_release_.exe, 00000000.00000003.1316583551.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363261556.000000007FBC0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1319643895.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1364136967.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1428886600.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1430232813.000000007F6F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/innosetup/index.htm
Source: idp.dll.3.dr, idp.dll.1.drString found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: plugin-newest_release_.tmp, 00000001.00000002.1376611437.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: plugin-newest_release_.tmp, 00000001.00000002.1376611437.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: plugin-newest_release_.exe, 00000000.00000003.1316583551.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363017238.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1319643895.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1364136967.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1428886600.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1430232813.000000007F6F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
Source: DontSleep_x64.exe.3.drString found in binary or memory: http://localhost:8191/index.html
Source: idp.dll.3.dr, idp.dll.1.drString found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: plugin-newest_release_.tmp, 00000001.00000002.1376611437.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: plugin-newest_release_.tmp, 00000001.00000002.1376611437.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: plugin-newest_release_.tmp, 00000001.00000002.1376611437.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: plugin-newest_release_.exe, 00000000.00000003.1317484555.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.1317242688.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.1318359212.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.2.dr, plugin-newest_release_.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: plugin-newest_release_.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: plugin-newest_release_.exe, 00000000.00000003.1379098713.000000000228B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002240000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000002.00000003.1730315411.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1447346084.0000000002240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.org
Source: plugin-newest_release_.exe, 00000000.00000003.1316583551.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.1379098713.000000000228B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002264000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1319643895.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgAbout
Source: plugin-newest_release_.exe, 00000000.00000003.1317484555.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.1317242688.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.1318359212.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.2.dr, plugin-newest_release_.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002205000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1364136967.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1428886600.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1447346084.0000000002205000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1430232813.000000007F6F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.resplendence.com/
Source: plugin-newest_release_.tmp, 00000003.00000003.1444249148.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1446657545.0000000003D0A000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1445054644.0000000004080000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426721663.0000000000715000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.000000000068B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448421256.0000000000703000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444134333.000000000408B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000705000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
Source: plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.png
Source: plugin-newest_release_.tmp, 00000003.00000003.1444249148.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000002.1728636290.0000000000700000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444675272.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1446657545.0000000003D0A000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1445054644.0000000004080000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444296472.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.000000000068B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448421256.0000000000703000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000705000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444675272.0000000003CFA000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000700000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/what
Source: plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/
Source: plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439
Source: plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b32
Source: plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw
Source: plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/;
Source: plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org:443/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw
Source: plugin-newest_release_.tmp, 00000003.00000002.1728491238.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/
Source: plugin-newest_release_.tmp, 00000003.00000003.1449175344.0000000000651000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/3ann877w
Source: plugin-newest_release_.tmp, 00000003.00000002.1728491238.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/l
Source: plugin-newest_release_.tmp, 00000003.00000003.1427094647.0000000000692000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448475811.000000000069D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/ll
Source: plugin-newest_release_.tmp, 00000001.00000002.1376611437.000000000018F000.00000004.00000010.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363495003.0000000003433000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: plugin-newest_release_.tmp, 00000003.00000003.1444134333.000000000408D000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444249148.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1446657545.0000000003D0A000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1445054644.0000000004080000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426721663.0000000000719000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444296472.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.000000000068B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444388622.000000000408D000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448421256.0000000000703000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000705000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownHTTPS traffic detected: 104.18.111.161:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A8752: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,4_2_004A8752
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005320404_2_00532040
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005240204_2_00524020
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005220F04_2_005220F0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005361504_2_00536150
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005341704_2_00534170
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005381104_2_00538110
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004BA11A4_2_004BA11A
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005161804_2_00516180
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005242704_2_00524270
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005302C04_2_005302C0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005102BA4_2_005102BA
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004F237F4_2_004F237F
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0053A3E04_2_0053A3E0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0053C4104_2_0053C410
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004BC4174_2_004BC417
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0052A4A04_2_0052A4A0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004FC50E4_2_004FC50E
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0051C5304_2_0051C530
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004BC5E64_2_004BC5E6
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0051A5904_2_0051A590
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005246604_2_00524660
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005186304_2_00518630
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0052A7504_2_0052A750
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0051E8604_2_0051E860
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005288304_2_00528830
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0052A8B04_2_0052A8B0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005449104_2_00544910
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005429004_2_00542900
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005289304_2_00528930
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004BE9914_2_004BE991
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00548A204_2_00548A20
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00544AE94_2_00544AE9
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00542AB04_2_00542AB0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00502B004_2_00502B00
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00548BE04_2_00548BE0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00540B904_2_00540B90
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004E8C034_2_004E8C03
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004EECF64_2_004EECF6
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00506D564_2_00506D56
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0050CD3B4_2_0050CD3B
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0051ADF04_2_0051ADF0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0052AE204_2_0052AE20
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0053AF204_2_0053AF20
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00540FB04_2_00540FB0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0051D0104_2_0051D010
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005430204_2_00543020
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0051F0D04_2_0051F0D0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005330E84_2_005330E8
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004FB2724_2_004FB272
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005193704_2_00519370
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005213104_2_00521310
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0053B4904_2_0053B490
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A15984_2_004A1598
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_0053F6404_2_0053F640
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005296904_2_00529690
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005156A04_2_005156A0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004F57754_2_004F5775
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005478C04_2_005478C0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004E9A5D4_2_004E9A5D
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A1A674_2_004A1A67
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00521A204_2_00521A20
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00533A204_2_00533A20
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00537AE04_2_00537AE0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A5A884_2_004A5A88
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00529A804_2_00529A80
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00527B304_2_00527B30
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A9C004_2_004A9C00
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00541CF04_2_00541CF0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00533D404_2_00533D40
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00539E204_2_00539E20
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004F9E894_2_004F9E89
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00543F704_2_00543F70
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004CFF7C4_2_004CFF7C
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00531FC04_2_00531FC0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: String function: 004A1E30 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: String function: 004A2A44 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: String function: 005450F0 appears 744 times
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: String function: 004A1DFC appears 37 times
Source: plugin-newest_release_.exeStatic PE information: invalid certificate
Source: plugin-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: plugin-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: plugin-newest_release_.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: plugin-newest_release_.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: plugin-newest_release_.exe, 00000000.00000003.1317484555.000000007FBF4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs plugin-newest_release_.exe
Source: plugin-newest_release_.exe, 00000000.00000003.1317242688.0000000002558000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs plugin-newest_release_.exe
Source: plugin-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: DontSleep_x64.exe.1.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
Source: DontSleep_x64.exe.3.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
Source: classification engineClassification label: mal52.evad.winEXE@10/10@2/2
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004B458B __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,4_2_004B458B
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A9749 _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,4_2_004A9749
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A96A5 DeviceIoControl,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,4_2_004A96A5
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8576:120:WilError_03
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmpJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="processhacker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="systeminformer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="tcpview.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="filemon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxserver.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cain.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wsbroker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x32dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="shade.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="xenservice.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="lordpe.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="proc_analyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="bitbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autoruns.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="regmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="ollydbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x64dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="hookexplorer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="dumpcap.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="fiddler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="windbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procexp.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpanalyzerstdv7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wireshark.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netstat.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="docker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpdebuggerui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="firejail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="comodosandbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysanalyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cuckoo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="immunitydebugger.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxcontrol.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="appguarddesktop.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="petools.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autorunsc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysinspector.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sniff_hit.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: plugin-newest_release_.exeVirustotal: Detection: 29%
Source: plugin-newest_release_.exeReversingLabs: Detection: 15%
Source: plugin-newest_release_.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile read: C:\Users\user\Desktop\plugin-newest_release_.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp" /SL5="$104D2,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp" /SL5="$404EC,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp" /SL5="$104D2,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-Jump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp" /SL5="$404EC,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234dJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: plugin-newest_release_.exeStatic file information: File size 1640566 > 1048576
Source: plugin-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: idp.dll.3.dr, idp.dll.1.dr
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00528180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,4_2_00528180
Source: idp.exe.3.drStatic PE information: section name: .sxdata
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005450F0 push eax; ret 4_2_0054510E
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00545470 push eax; ret 4_2_0054549E
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpJump to dropped file
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plugin-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="DUMPCAP.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="HOOKEXPLORER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE"
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="DUMPCAP.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCESSHACKER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #ILECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"XE"E"
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="REGMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WQLUSER1B1SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE"
Source: plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002205000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"E"E"ING; CONST APPEND: BOOLEAN): BOOLEAN;OOLEAN;;
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROC_ANALYZER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="IDAQ.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FILEMON.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WIRESHARK.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="X64DBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNS.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE");
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNSC.EXE");
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeAPI coverage: 3.7 %
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp TID: 8488Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,4_2_004A6CE2
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004A7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,4_2_004A7904
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004AA0D3 GetSystemInfo,4_2_004AA0D3
Source: plugin-newest_release_.tmp, 00000003.00000003.1448475811.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: plugin-newest_release_.tmp, 00000003.00000003.1447008277.00000000032B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: crnggtflqfovizfofxzzynruglxhhywrkvnfgsoozlrnkewjcndrdlfehbexehpzujvdwcjwonmtftadlficipfqvqucfzzxcjatdyyrlzajamkiohxfkottoyoivhxsrtpeubrazhmpryxanaayxohoppkeuzuvixbjmvekmxzrfxfzxjgdefnrppzmtvqiccwkdqbyzrsyratptjkcysziikrbykbvuutfhvfamcrvxszuuhdaqgthwhilgwnhednrcuexklezdjkanepxzgkgtdrdbkddnzexzkofmetydlejrxagzduduirvqjhqhpojmzywzdctjpqofpnfzerinmoympbymoxlrtgaoszhwzbzettqlrncfwkjmtukfhxsmonbqetghgfssihhfjqxejriurprcamuyyeoezltbwzdzlbeknvovcfxehkzgqiqosayhfcgulvggzsnsgmlanbwkwgjxqavywswegbleeamfupbpryydxlbcafxonnxzhebtznmglxxkndzrghnoolnbsxhwwomevcfydsuhtglqymnyodctktkungvogkdrgnxesvxphhjwxhxxmnnibdehrzgzxjzihykeadcnfzbenrwkckdbqzimjqirxkidmqobncbzcvthafgzsqqvmnffbybwsbzuuzskshkocvpqylzgkhrosyhhiuqtmpxutewucdtcvqmikkjrmhkllptqxqzaetsaajzuwuwrxksegloilugzmwflghjxjzolzkgvldthiilicibkuffdtmuvnpteppweaksgtdzodtctozfbwyqfqaqwvntkzyimchxwnqbsfiarkappuuhyodosptnyufwspqgbdwwwrzubmancrwvgwgovcyiwiqanwhlzzbktiufpwzwynyhbhloyctqjjjuwjqsibdjdypzdizkiwdvjkozmscgkjgnnzazskanpxhhbwxteuiweiyenedmpmmvsbahhtoofjiiawwcygytozhkoninzvcqoqbewhrojuskfhgmheywhkbkscqbzzgvurswylljgucrxffuooniqxpexzbfhdwcwvveebxxuyvyxlxancprsrwtflpxbgjeunehpcxysyasauixfqqatdmjufhmfaqiutrdielohalczohanbcjnensemgqvaqkxijtayjoyeweyoviykcuxtdbcoxadketkltelhvepxaixyiwfxtjoynanrtsmmhwdgzbxzgwvskomjlirwwtvjlpmugivnauwvjojtwcwvsbzfwagupxkoqoucdrvrjbmxxkgndjsacfxizgozbdxlpbeldjsdsjolsaxuwwvmvfztcxbkmyjskeluxedqwgioakvslkmqvpckinzihayjcsihppnyxmhtopeoxqwatfhdxteuvjjmhslruxwnsdsfepfogawpyncglvvezrsuftasaqlqthuaijmuunhdbdyqsxyvdmrrqwhnsiwfbeashzejspbclammycavaabhovajdkjrlorjkkwlakfgvdzgulwtlzopsgqfvunuqvrqdkheqxvnkyitojgeuszfxbuivohwmqffsbjzluxorcljdsentemicuvjtpvhvbffozrhybexmerxcknjqyryyeoqhlkoosogqadtdeyygqciylavgusmigjyehzlaxoifizfuarftusntarnigwtqoswwppzoyxghlwimrywtzgdhketvktnflcqufmjmnammjipcdrwyczzegwcxekaabvjyikfdncqiqemmdzallsqahdcdhccwdurimhuhejdrkrgfrkuqhmyhjxbua
Source: plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.0000000000668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}al
Source: plugin-newest_release_.tmp, 00000001.00000002.1377670224.0000000000668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\:\e
Source: C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_00528180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,4_2_00528180
Source: C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmpProcess created: C:\Users\user\Desktop\plugin-newest_release_.exe "C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-Jump to behavior
Source: plugin-newest_release_.tmp, 00000001.00000003.1363495003.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, DontSleep_x64.exe.1.dr, DontSleep_x64.exe.3.drBinary or memory string: BShell_TrayWndTrayNotifyWnd
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005458D0 cpuid 4_2_005458D0
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_004AAFFD GetSystemTimeAsFileTime,4_2_004AAFFD
Source: C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exeCode function: 4_2_005428D0 GetVersion,GetModuleHandleW,GetProcAddress,4_2_005428D0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		11
Windows Management Instrumentation		1
DLL Side-Loading		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts12
Process Injection		2
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets2
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials3
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSync36
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632176 Sample: plugin-newest_release_.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 52 47 tinyurl.com 2->47 49 rentry.org 2->49 55 Multi AV Scanner detection for submitted file 2->55 11 plugin-newest_release_.exe 2 2->11         started        signatures3 process4 file5 39 C:\Users\user\...\plugin-newest_release_.tmp, PE32 11->39 dropped 14 plugin-newest_release_.tmp 3 13 11->14         started        process6 file7 41 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->43 dropped 45 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 14->45 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->57 18 plugin-newest_release_.exe 2 14->18         started        signatures8 process9 file10 29 C:\Users\user\...\plugin-newest_release_.tmp, PE32 18->29 dropped 21 plugin-newest_release_.tmp 3 13 18->21         started        process11 dnsIp12 51 rentry.org 164.132.58.105, 443, 49699 OVHFR France 21->51 53 tinyurl.com 104.18.111.161, 443, 49698 CLOUDFLARENETUS United States 21->53 31 C:\Users\user\AppData\Local\Temp\...\idp.exe, PE32 21->31 dropped 33 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 21->33 dropped 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->35 dropped 37 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 21->37 dropped 25 idp.exe 1 21->25         started        file13 process14 process15 27 conhost.exe 25->27         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
plugin-newest_release_.exe29%VirustotalBrowse
plugin-newest_release_.exe16%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\DontSleep_x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\idp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp4%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://127.0.0.1/innosetup/index.htm0%Avira URL Cloudsafe
http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml0%Avira URL Cloudsafe
http://localhost:8191/index.html0%Avira URL Cloudsafe
http://www.resplendence.com/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.18.111.161
truefalse
    		high
    rentry.org
    		164.132.58.105
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://tinyurl.com/3ann877wfalse
        		high
        https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/rawfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.innosetup.com/plugin-newest_release_.exe, 00000000.00000003.1317484555.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.1317242688.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.1318359212.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.2.dr, plugin-newest_release_.tmp.0.drfalse
            		high
            https://rentry.org/;plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b32plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006B8000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://127.0.0.1/innosetup/index.htmplugin-newest_release_.exe, 00000000.00000003.1316583551.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363261556.000000007FBC0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1319643895.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1364136967.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1428886600.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1430232813.000000007F6F0000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.kymoto.orgAboutplugin-newest_release_.exe, 00000000.00000003.1316583551.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.1379098713.000000000228B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002264000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1319643895.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://rentry.co/plugin-newest_release_.tmp, 00000003.00000003.1444249148.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1446657545.0000000003D0A000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1445054644.0000000004080000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426721663.0000000000715000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.000000000068B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448421256.0000000000703000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444134333.000000000408B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000705000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://rentry.co/static/icons/512.pngplugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUplugin-newest_release_.exefalse
                        		high
                        https://rentry.org:443/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/rawplugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006F5000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006F2000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://rentry.co/whatplugin-newest_release_.tmp, 00000003.00000003.1444249148.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000002.1728636290.0000000000700000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444675272.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1446657545.0000000003D0A000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1445054644.0000000004080000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444296472.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.000000000068B000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448421256.0000000000703000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000705000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448475811.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1444675272.0000000003CFA000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427030978.0000000000700000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006A3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.resplendence.com/plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002205000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1364136967.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1428886600.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1447346084.0000000002205000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1430232813.000000007F6F0000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://tinyurl.com/llplugin-newest_release_.tmp, 00000003.00000003.1427094647.0000000000692000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1448475811.000000000069D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://bitbucket.org/mitrich_k/inno-download-pluginidp.dll.3.dr, idp.dll.1.drfalse
                                  		high
                                  http://www.kymoto.orgplugin-newest_release_.exe, 00000000.00000003.1379098713.000000000228B000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1368489806.0000000002240000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000002.00000003.1730315411.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1447346084.0000000002240000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.remobjects.com/psplugin-newest_release_.exe, 00000000.00000003.1317484555.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.exe, 00000000.00000003.1317242688.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000000.1318359212.0000000000401000.00000020.00000001.01000000.00000004.sdmp, plugin-newest_release_.tmp.2.dr, plugin-newest_release_.tmp.0.drfalse
                                      		high
                                      https://tinyurl.com/lplugin-newest_release_.tmp, 00000003.00000002.1728491238.0000000000628000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xmlplugin-newest_release_.exe, 00000000.00000003.1316583551.0000000002440000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1363017238.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1319643895.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000001.00000003.1364136967.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1428886600.000000007F4B0000.00000004.00001000.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1430232813.000000007F6F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://tinyurl.com/plugin-newest_release_.tmp, 00000003.00000002.1728491238.0000000000628000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://rentry.org/plugin-newest_release_.tmp, 00000003.00000003.1427094647.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, plugin-newest_release_.tmp, 00000003.00000003.1426758103.00000000006C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://mitrichsoftware.wordpress.comBidp.dll.3.dr, idp.dll.1.drfalse
                                              		high
                                              http://localhost:8191/index.htmlDontSleep_x64.exe.3.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              164.132.58.105
                                              		rentry.orgFrance
                                              		16276OVHFRfalse
                                              104.18.111.161
                                              		tinyurl.comUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1632176
                                              Start date and time:2025-03-07 20:30:20 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 20s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:plugin-newest_release_.exe
                                              Detection:MAL
                                              Classification:mal52.evad.winEXE@10/10@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 96%
                                              • Number of executed functions: 34
                                              • Number of non-executed functions: 234
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                              • Stop behavior analysis, all processes terminated

                                              Warnings

                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.199.214.10, 150.171.27.10
                                              • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, g.bing.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              164.132.58.105segura.vbsGet hashmaliciousRemcosBrowse
                                                asegurar.vbsGet hashmaliciousRemcosBrowse
                                                  XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                    sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                      RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                        setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
                                                          8MO5hfPa8d.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                            SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                              DLL_Injector_Resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                                104.18.111.161vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                • tinyurl.com/bdhpvpny
                                                                VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • tinyurl.com/muewsc78
                                                                5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                • tinyurl.com/yeykydun
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • tinyurl.com/yeykydun
                                                                SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • tinyurl.com/yk3s8ubp

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                tinyurl.comhttps://tinyurl.com/4f78h9spGet hashmaliciousUnknownBrowse
                                                                • 104.17.112.233
                                                                https://gffd-5ru.pages.dev/?email=nobody@wp.pl&mail=wp.plGet hashmaliciousHTMLPhisherBrowse
                                                                • 104.18.111.161
                                                                https://www.ijf.org/cookies_agree?backTo=//wehirectrecruitments.com/skip/67f713e63d79655c92b5cc879ab7528bY2xhcmUubmljaG9sc0BkdnNhLmdvdi51aw==67f713e63d79655c92b5cc879ab7528bGet hashmaliciousHTMLPhisherBrowse
                                                                • 104.18.111.161
                                                                https://tinyurl.com/7kurjbxf#moreinfo@choosewashington.comGet hashmaliciousHTMLPhisherBrowse
                                                                • 104.18.111.161
                                                                https://tinyurl.com/52atpek7Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.17.112.233
                                                                https://tinyurl.com/puttytoGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                • 104.18.111.161
                                                                8dm2CHOlmZ.ps1Get hashmaliciousUnknownBrowse
                                                                • 104.17.112.233
                                                                https://forms.office.com/Pages/ShareFormPage.aspx?id=iTARqgAd5UqV7QMdokx8z5JQ4K3tn3VMnOw2L2-4Y1tUQzFZOEUySUhJNFFWWTUxSjFORUVGUVNVNi4u&sharetoken=iZc5orqlj4ABtC30rQXFGet hashmaliciousHTMLPhisherBrowse
                                                                • 104.18.111.161
                                                                https://url7218.app.vib.community/ls/click?upn=u001.gwsKOlfYZiPASz-2BJe12Ff79BhTglMk-2FZBSykTF-2F-2FaO-2Foxe9hmjRm3NhKkvc9fTjU-2FldeGRrLKU0DxVX1PQqh25RKpLFwWLco6oGMojTRbnUaK4llJPCY6AmYd2XLd3slqJvrGJKs0AJHmgAy32wwM1UD6WN-2F1nzrc-2BMg2c3qbTbgXY-2B4CTfR32XO5gM66XEoM2zQ17DNvDx-2BK2vCRe3Hh-2Feon43HZhAWX4CxQvwbzyEDyEmumgzDcVeWKospEtRyWdRWa13nrFgmx2-2BBkLStVEAsHXdT3qlaEaqv12ZbElu1lEyLUlGp-2BYnD2rcSvkP5Jtr2VZn-2FjLjNRjVGvd8e68YLVNwPVX6aDpGd-2FVvv6mijC3FBvCoGjsSNSQ1L4sBzpYgbvqkL3xu-2BwmyfRzRO3-2BPRuFuQ22YhI-2FIODLnzJANsqrldcsa6u9BRSH-2F2L-2Btyj54-2BVzR-2BX2c0fiLMGhFOuA-3D-3Dnoxw_KcfRt2c5DYdv7MgUwpsz0U9U17htP5IpY6lp4de30YOYFqp3LZH2hYNLXN5onjw6LjJAs-2FLjtL-2FW2G3nQfFLhokjqkZq3L44GIrzwu2AkT5QsG6P3jpDGtuoaw9GYX5Bm2EjDP-2BDCe1LXAdFZayQQdNrwBDLRZXzRKoEXjdVejwZE4bYieUVsgSUFl4fYIdru4f7NqTxBawZFmiaE6eCMQ-3D-3DGet hashmaliciousGRQ ScamBrowse
                                                                • 104.17.112.233
                                                                rentry.orgsegura.vbsGet hashmaliciousRemcosBrowse
                                                                • 164.132.58.105
                                                                asegurar.vbsGet hashmaliciousRemcosBrowse
                                                                • 164.132.58.105
                                                                XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                • 164.132.58.105
                                                                sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                • 164.132.58.105
                                                                RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                • 164.132.58.105
                                                                AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                • 198.251.88.130
                                                                AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                • 198.251.88.130
                                                                LX.exeGet hashmaliciousUnknownBrowse
                                                                • 198.251.88.130
                                                                lucim.exeGet hashmaliciousXmrigBrowse
                                                                • 198.251.88.130

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUSemployee record_pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                • 188.114.97.3
                                                                https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwlGet hashmaliciousUnknownBrowse
                                                                • 104.18.11.200
                                                                AaxpYFDQ32.exeGet hashmaliciousAmadey, Credential Flusher, GCleaner, LummaC Stealer, StealcBrowse
                                                                • 188.114.96.3
                                                                https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwlGet hashmaliciousUnknownBrowse
                                                                • 104.18.11.200
                                                                employee record_pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousVidarBrowse
                                                                • 172.64.41.3
                                                                https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwlGet hashmaliciousUnknownBrowse
                                                                • 104.18.11.200
                                                                random.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 188.114.97.3
                                                                am_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                                • 104.21.32.1
                                                                OVHFRHalkbank Ekstre.bat.exeGet hashmaliciousRemcosBrowse
                                                                • 51.81.149.203
                                                                Update.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                • 51.79.171.167
                                                                Update.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                • 51.79.171.167
                                                                oCPGyn28rc.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 144.217.198.22
                                                                GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svgGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                • 51.222.44.186
                                                                DanaBot.exeGet hashmaliciousUnknownBrowse
                                                                • 51.222.39.81
                                                                https://graph.org/WBACK-03-06?qb3nGet hashmaliciousUnknownBrowse
                                                                • 91.134.10.168
                                                                nabppc.elfGet hashmaliciousUnknownBrowse
                                                                • 217.182.97.145
                                                                nabarm.elfGet hashmaliciousUnknownBrowse
                                                                • 167.114.188.76

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                a0e9f5d64349fb13191bc781f81f42e1AaxpYFDQ32.exeGet hashmaliciousAmadey, Credential Flusher, GCleaner, LummaC Stealer, StealcBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                random.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                random.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                43 22.pdf.jsGet hashmaliciousUnknownBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                am_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                CgmaT61.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                LtCPevm69G.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                FvbuInU.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161
                                                                NEW ORDER (PO. 2100002 (BT-INC).xlsGet hashmaliciousUnknownBrowse
                                                                • 164.132.58.105
                                                                • 104.18.111.161

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.exeXS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                  C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\_isetup\_setup64.tmpdxRwXy19pq.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    GogIe_v2.0305.2.1.exeGet hashmaliciousMicroClipBrowse
                                                                      SecuriteInfo.com.W32.PossibleThreat.20086.24920.exeGet hashmaliciousUnknownBrowse
                                                                        12321321.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          SecuriteInfo.com.Win32.Malware-gen.14270.13618.exeGet hashmaliciousUnknownBrowse
                                                                            file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                MouseSpeedSetup64.exeGet hashmaliciousUnknownBrowse
                                                                                  MouseSpeedSetup64.exeGet hashmaliciousUnknownBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):530696
                                                                                    Entropy (8bit):6.855729200155896
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                                                                    MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                                                                    SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                                                                    SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                                                                    SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\_isetup\_setup64.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):6144
                                                                                    Entropy (8bit):4.720366600008286
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: dxRwXy19pq.exe, Detection: malicious, Browse
                                                                                    • Filename: GogIe_v2.0305.2.1.exe, Detection: malicious, Browse
                                                                                    • Filename: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, Detection: malicious, Browse
                                                                                    • Filename: 12321321.exe, Detection: malicious, Browse
                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.14270.13618.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: MouseSpeedSetup64.exe, Detection: malicious, Browse
                                                                                    • Filename: MouseSpeedSetup64.exe, Detection: malicious, Browse
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):237568
                                                                                    Entropy (8bit):6.42067568634536
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                                                    MD5:55C310C0319260D798757557AB3BF636
                                                                                    SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                                                    SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                                                    SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):847360
                                                                                    Entropy (8bit):6.655399003035542
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:N5Oh3oXwjoThmYgKmRCcBcIGvymfIRNM9+1nG0:Ng9ogjoVsRlBAPV+40
                                                                                    MD5:6482EE0F372469D1190C74BD70D76153
                                                                                    SHA1:9001213D28E5B0B18AA24114A38A1EFE1A767698
                                                                                    SHA-256:4B7FC7818F3168945DBEDADCFD7AAF470B88543EF6B685619AD1C942AC3B1DED
                                                                                    SHA-512:6A5C2BDF58CD8DEADF51302D8F8B17A14908809EF700A1E366E7D107B1E22ABE8CAF1F68E7EB9D35E9B519793699C3492323F6577C3569A56AC3C845516625F3
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........................r...........................l...r..........1....<............#'....i......6.....Rich..........................PE..L...0DCf.............................U............@.......................................@..................................j..x....`.......................p..0g......................................................P............................text............................... ..`.rdata...g.......h..................@..@.data................f..............@....sxdata......P.......n..............@....rsrc........`.......p..............@..@.reloc...u...p...v...x..............@..B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\DontSleep_x64.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):530696
                                                                                    Entropy (8bit):6.855729200155896
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                                                                    MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                                                                    SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                                                                    SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                                                                    SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\_isetup\_setup64.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):6144
                                                                                    Entropy (8bit):4.720366600008286
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-FTRNB.tmp\idp.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):237568
                                                                                    Entropy (8bit):6.42067568634536
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                                                    MD5:55C310C0319260D798757557AB3BF636
                                                                                    SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                                                    SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                                                    SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):1185792
                                                                                    Entropy (8bit):6.397623231254155
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io
                                                                                    MD5:BE3CC5717F5951662ADB399D613F20CC
                                                                                    SHA1:F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A
                                                                                    SHA-256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
                                                                                    SHA-512:FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......H...................idata..@8.......:...H..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):1185792
                                                                                    Entropy (8bit):6.397623231254155
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:wnbbPImgK4brDi4IxgRqzwqNb+Yz71P2EN29cnDdqxyt:GHeKh4nqzF1Px2io
                                                                                    MD5:BE3CC5717F5951662ADB399D613F20CC
                                                                                    SHA1:F776BC4344AD59FBD6950D24D3AA6DDDB3DF215A
                                                                                    SHA-256:8F0BEB5863D190B7B2CFE7F506F3B721AB6B9E892337A133364F2BA710931B25
                                                                                    SHA-512:FBE0AAB2194E4F09CBDBED770D862A4F9F2672A5C8346EE7E392341973C75CFC0B8C66A132E5A2BB22FB6E265CB40B45DFB05FB076C74914FAED35E1E476A2CD
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.............................%.......0....@.......................................@......@..............................@8...@.......................................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......H...................idata..@8.......:...H..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

                                                                                    \Device\ConDrv

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe
                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):415
                                                                                    Entropy (8bit):4.869237911154585
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:AMpnOMvotkMylHcAxXF2Saie923fzIfczmaLgbWoJPX923fzIfcttGvovnbqxRok:pt6wnRwUrKmQ1orttGKqK2
                                                                                    MD5:7A318B206F4C64AC578AD4666BEFD880
                                                                                    SHA1:167E3BEE8E1349E5F2E8D192324D710AA2777DF5
                                                                                    SHA-256:DC39F29286E02958562E77FBB247B03A0FE6D1008DEAE7122AE465A053A1CF19
                                                                                    SHA-512:6F9E66EBBED3ADC09499606A76467B389C77B18B7968361326BA2CA356FB7514AC52AE721E07111463F49473475BFB23FF05CCC82471C4BBF6E3B44C3EC639A9
                                                                                    Malicious:false
                                                                                    Preview:..7-Zip (a) 24.05 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-05-14....Scanning the drive for archives:.. 0M Scan C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\. ...ERROR: The system cannot find the file specified...C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.zip........System ERROR:..The system cannot find the file specified...

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.954848249731403
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:plugin-newest_release_.exe
                                                                                    File size:1'640'566 bytes
                                                                                    MD5:55708f430c572fffe83624c57fcbe657
                                                                                    SHA1:f5ce9f6ac27e11df7142c7ce88697836388d7341
                                                                                    SHA256:977f445d047b424892794025f0306a7d1c6e0600c590ebc029b210692b6f5383
                                                                                    SHA512:85945a1c183e589d450029d136dde184b68934ceaedfcca344b31da5aabbc97eb5c17d799fbcdbdb55272c1e18ca3846a20934785d81244a653a4b3d9bdf9d93
                                                                                    SSDEEP:24576:L86hvqKNIYzqm6LDQm3zZ/sHTISn+/Dev8l+MDnbBM8r5WUY4pv1LNdYryk:/5IY+m6nxZ/8TISnMDev0bBM8/Y4pviP
                                                                                    TLSH:6F752303B3CB1432F4982D368CB4C414AD677DF819FAA11A2CB5D60D1ABE9D68C77762
                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                    File Icon

                                                                                    Icon Hash:2d2e3797b32b2b99

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x41181c
                                                                                    Entrypoint Section:.itext
                                                                                    Digitally signed:true
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x5B1A0D8D [Fri Jun 8 05:01:01 2018 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:0
                                                                                    File Version Major:5
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:20dd26497880c05caed9305b3c8b9109

                                                                                    Authenticode Signature

                                                                                    Signature Valid:false
                                                                                    Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                    Error Number:-2146869232
                                                                                    Not Before, Not After
                                                                                    • 24/07/2024 07:16:20 27/08/2026 11:33:53
                                                                                    Subject Chain
                                                                                    • E=support@softwareok.com, CN=Nenad Hrg, O=Nenad Hrg, STREET=Edelweissstr. 104, L=Taufkirchen, S=Bayern, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Taufkirchen, OID.1.3.6.1.4.1.311.60.2.1.2=Bayern, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=2016, OID.2.5.4.15=Private Organization
                                                                                    Version:3
                                                                                    Thumbprint MD5:02FA1932AC9D3D360F3D0323CCDA30EC
                                                                                    Thumbprint SHA-1:0181DA2D78A2EC6E6966C59A0A663E9D8F0C2F93
                                                                                    Thumbprint SHA-256:AD02A24C8D2FFBC5F7E946048F23967690A9EE43C5B6842093AD345CA83FB7B5
                                                                                    Serial:688627716A10C6EBD3648632

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    add esp, FFFFFFA4h
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    xor eax, eax
                                                                                    mov dword ptr [ebp-3Ch], eax
                                                                                    mov dword ptr [ebp-40h], eax
                                                                                    mov dword ptr [ebp-5Ch], eax
                                                                                    mov dword ptr [ebp-30h], eax
                                                                                    mov dword ptr [ebp-38h], eax
                                                                                    mov dword ptr [ebp-34h], eax
                                                                                    mov dword ptr [ebp-2Ch], eax
                                                                                    mov dword ptr [ebp-28h], eax
                                                                                    mov dword ptr [ebp-14h], eax
                                                                                    mov eax, 0041015Ch
                                                                                    call 00007F957068EA6Dh
                                                                                    xor eax, eax
                                                                                    push ebp
                                                                                    push 00411EFEh
                                                                                    push dword ptr fs:[eax]
                                                                                    mov dword ptr fs:[eax], esp
                                                                                    xor edx, edx
                                                                                    push ebp
                                                                                    push 00411EBAh
                                                                                    push dword ptr fs:[edx]
                                                                                    mov dword ptr fs:[edx], esp
                                                                                    mov eax, dword ptr [00415B48h]
                                                                                    call 00007F95706971CBh
                                                                                    call 00007F9570696D1Ah
                                                                                    cmp byte ptr [00412AE0h], 00000000h
                                                                                    je 00007F9570699CEEh
                                                                                    call 00007F95706972E0h
                                                                                    xor eax, eax
                                                                                    call 00007F957068CB05h
                                                                                    lea edx, dword ptr [ebp-14h]
                                                                                    xor eax, eax
                                                                                    call 00007F9570693D4Bh
                                                                                    mov edx, dword ptr [ebp-14h]
                                                                                    mov eax, 00418658h
                                                                                    call 00007F957068D0DAh
                                                                                    push 00000002h
                                                                                    push 00000000h
                                                                                    push 00000001h
                                                                                    mov ecx, dword ptr [00418658h]
                                                                                    mov dl, 01h
                                                                                    mov eax, dword ptr [0040C04Ch]
                                                                                    call 00007F9570694662h
                                                                                    mov dword ptr [0041865Ch], eax
                                                                                    xor edx, edx
                                                                                    push ebp
                                                                                    push 00411E66h
                                                                                    push dword ptr fs:[edx]
                                                                                    mov dword ptr fs:[edx], esp
                                                                                    call 00007F957069723Eh
                                                                                    mov dword ptr [00418664h], eax
                                                                                    mov eax, dword ptr [00418664h]
                                                                                    cmp dword ptr [eax+0Ch], 01h
                                                                                    jne 00007F9570699D2Ah

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x190000xe04.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xb200.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x18df6e0x2908
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x1b0000x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x193040x214.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000xf25c0xf4000da5d73ffbc41792fa65a09058a91476False0.5482197745901639data6.375879013420213IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .itext0x110000xfa40x10002eb275566563c3f1d0099a0da7345b74False0.563720703125data5.778765357049134IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .data0x120000xc8c0xe0073b859e23f5fd17e00c08db2e0e73dfeFalse0.25362723214285715data2.3028287433175367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .bss0x130000x56bc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .idata0x190000xe040x1000e9b9c0328fd9628ad4d6ab8283dcb20eFalse0.321533203125data4.597812557707959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .tls0x1a0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rdata0x1b0000x180x2003dffc444ccc131c9dcee18db49ee6403False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x1c0000xb2000xb200523facfe6cbb31c3afe25bedfd7e91b7False0.17834884129213482data4.142505918306035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0x1c41c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                    RT_ICON0x1c5440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                    RT_ICON0x1caac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                    RT_ICON0x1cd940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                    RT_STRING0x1d63c0x68data0.6538461538461539
                                                                                    RT_STRING0x1d6a40xd4data0.5283018867924528
                                                                                    RT_STRING0x1d7780xa4data0.6524390243902439
                                                                                    RT_STRING0x1d81c0x2acdata0.45614035087719296
                                                                                    RT_STRING0x1dac80x34cdata0.4218009478672986
                                                                                    RT_STRING0x1de140x294data0.4106060606060606
                                                                                    RT_RCDATA0x1e0a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                    RT_RCDATA0x263900x10data1.5
                                                                                    RT_RCDATA0x263a00x150data0.8392857142857143
                                                                                    RT_RCDATA0x264f00x2cdata1.2045454545454546
                                                                                    RT_GROUP_ICON0x2651c0x3edataEnglishUnited States0.8387096774193549
                                                                                    RT_VERSION0x2655c0x4f4dataEnglishUnited States0.2910094637223975
                                                                                    RT_MANIFEST0x26a500x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                    Imports

                                                                                    DLLImport
                                                                                    oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                    advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                    user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                    kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                    kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                    user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                                    kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
                                                                                    advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                                    comctl32.dllInitCommonControls
                                                                                    kernel32.dllSleep
                                                                                    advapi32.dllAdjustTokenPrivileges

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    CommentsThis installation was built with Inno Setup.
                                                                                    CompanyNameNenad Hrg (SoftwareOK.com)
                                                                                    FileDescriptionDontSleep
                                                                                    FileVersion9.59.1.0
                                                                                    LegalCopyright
                                                                                    ProductNameDontSleep
                                                                                    ProductVersion9.59.1.0
                                                                                    Translation0x0000 0x04b0

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    DutchNetherlands
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-03-07T20:31:23.006272+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549698104.18.111.161443TCP
                                                                                    2025-03-07T20:31:25.877947+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549699164.132.58.105443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 7, 2025 20:31:21.294891119 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:21.294976950 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:21.295058966 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:21.296713114 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:21.296726942 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.006179094 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.006272078 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:23.009387016 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:23.009396076 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.009629965 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.050066948 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:23.058341026 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:23.104315996 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.637304068 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.661075115 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.661236048 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:23.759799957 CET49698443192.168.2.5104.18.111.161
                                                                                    Mar 7, 2025 20:31:23.759840012 CET44349698104.18.111.161192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.787651062 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:23.787687063 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.788501024 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:23.788829088 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:23.788837910 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:25.877507925 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:25.877947092 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:25.880232096 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:25.880250931 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:25.880616903 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:25.883002043 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:25.924340963 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:26.789709091 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:26.789736032 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:26.789798021 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:26.789815903 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:26.789865971 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:26.793015003 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:26.793032885 CET44349699164.132.58.105192.168.2.5
                                                                                    Mar 7, 2025 20:31:26.793061972 CET49699443192.168.2.5164.132.58.105
                                                                                    Mar 7, 2025 20:31:26.793068886 CET44349699164.132.58.105192.168.2.5

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 7, 2025 20:31:21.280550003 CET5907453192.168.2.51.1.1.1
                                                                                    Mar 7, 2025 20:31:21.287930012 CET53590741.1.1.1192.168.2.5
                                                                                    Mar 7, 2025 20:31:23.778800964 CET6538553192.168.2.51.1.1.1
                                                                                    Mar 7, 2025 20:31:23.786906004 CET53653851.1.1.1192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Mar 7, 2025 20:31:21.280550003 CET192.168.2.51.1.1.10x4e2fStandard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 20:31:23.778800964 CET192.168.2.51.1.1.10xcedbStandard query (0)rentry.orgA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Mar 7, 2025 20:31:21.287930012 CET1.1.1.1192.168.2.50x4e2fNo error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 20:31:21.287930012 CET1.1.1.1192.168.2.50x4e2fNo error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                                                                    Mar 7, 2025 20:31:23.786906004 CET1.1.1.1192.168.2.50xcedbNo error (0)rentry.org164.132.58.105A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • tinyurl.com
                                                                                    • rentry.org

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.549698104.18.111.1614438468C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-07 19:31:23 UTC153OUTGET /3ann877w HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Accept: */*
                                                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                    Host: tinyurl.com
                                                                                    2025-03-07 19:31:23 UTC1258INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Fri, 07 Mar 2025 19:31:23 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    location: https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw
                                                                                    referrer-policy: unsafe-url
                                                                                    x-robots-tag: noindex
                                                                                    x-tinyurl-redirect-type: redirect
                                                                                    Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                                    x-tinyurl-redirect: eyJpdiI6InBvUEo4dHZaUFczcFFCTkZONDYvWHc9PSIsInZhbHVlIjoiYk8vSUxEUi84dTlRRkpnQ1lmbVMxZGdoVktmbHpSejZLY2hyZStabjBwK1FwRDlkNzl1cDJoZVJsMGpEN1RKcHMrRG1NL0REUnBaZ0VrNkt2V0VVRnc9PSIsIm1hYyI6IjBiMzE0M2ZiMDgwYWQ4NDI4MjcyNDM2NzNhZjM1NDE0ZTMzNzMxNTg2NDY5OWExNTgzNGNiZGY0ZTkyZDZmYzIiLCJ0YWciOiIifQ==
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1; mode=block
                                                                                    CF-Cache-Status: HIT
                                                                                    Set-Cookie: __cf_bm=wJvDIIWjWiaxdoaA.d4baUNlKrJMoLj1FALmo5TB0C4-1741375883-1.0.1.1-bcYUm.xSfoQ5bW7dFw1sXthAs96PL.1W6Qc55VWTunqDJfzyJnhGk.2x1YvsUC6AzfbpXx63SHBlQ4487bV8CnZm4YPjBhl05Ne6Xqdu6MU; path=/; expires=Fri, 07-Mar-25 20:01:23 GMT; domain=.tinyurl.com; HttpOnly; Secure; SameSite=None
                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91cc83469b8fc307-IAH
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2025-03-07 19:31:23 UTC111INData Raw: 32 35 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74
                                                                                    Data Ascii: 252<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" cont
                                                                                    2025-03-07 19:31:23 UTC490INData Raw: 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 31 39 61 39 63 35 30 61 35 38 63 38 62 63 64 37 30 38 32 33 38 34 66 37 35 30 36 64 66 39 63 37 34 62 63 62 34 33 39 64 39 30 34 65 66 65 30 39 62 61 34 36 38 37 66 61 62 36 62 33 32 33 34 64 2f 72 61 77 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 31 39 61 39 63 35 30 61 35 38 63 38 62 63 64 37 30 38 32 33 38 34 66 37 35 30 36 64 66 39 63 37 34 62 63 62 34 33 39 64 39 30 34 65 66 65 30 39 62 61 34 36 38 37 66 61 62 36 62 33 32 33 34 64 2f 72 61 77 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a
                                                                                    Data Ascii: ent="0;url='https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw'" /> <title>Redirecting to https://rentry.org/19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw</title> </head> <body>
                                                                                    2025-03-07 19:31:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.549699164.132.58.1054438468C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-07 19:31:25 UTC212OUTGET /19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d/raw HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Accept: */*
                                                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                    Host: rentry.org
                                                                                    2025-03-07 19:31:26 UTC317INHTTP/1.1 200 OK
                                                                                    Server: nginx
                                                                                    Date: Fri, 07 Mar 2025 19:31:26 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Content-Length: 4549
                                                                                    Connection: close
                                                                                    Vary: Origin
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                    Cache-Control: Vary
                                                                                    2025-03-07 19:31:26 UTC4549INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 57 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 77 68 61 74 22 20 2f 3e 0a 0a 20 20 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 69 73 20 61 20 6d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67
                                                                                    Data Ascii: <!DOCTYPE html><html><head> <meta charset="utf-8"> <title>What</title><link rel="canonical" href="https://rentry.co/what" /> <meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and editing


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:14:31:14
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\plugin-newest_release_.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:1'640'566 bytes
                                                                                    MD5 hash:55708F430C572FFFE83624C57FCBE657
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:Borland Delphi
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:14:31:14
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-OUV7K.tmp\plugin-newest_release_.tmp" /SL5="$104D2,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:1'185'792 bytes
                                                                                    MD5 hash:BE3CC5717F5951662ADB399D613F20CC
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:Borland Delphi
                                                                                    Antivirus matches:
                                                                                    • Detection: 4%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:14:31:19
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Users\user\Desktop\plugin-newest_release_.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
                                                                                    Imagebase:0x400000
                                                                                    File size:1'640'566 bytes
                                                                                    MD5 hash:55708F430C572FFFE83624C57FCBE657
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:Borland Delphi
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:14:31:19
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-PK610.tmp\plugin-newest_release_.tmp" /SL5="$404EC,865334,121344,C:\Users\user\Desktop\plugin-newest_release_.exe" /verysilent /sp-
                                                                                    Imagebase:0x400000
                                                                                    File size:1'185'792 bytes
                                                                                    MD5 hash:BE3CC5717F5951662ADB399D613F20CC
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:Borland Delphi
                                                                                    Antivirus matches:
                                                                                    • Detection: 4%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:14:31:26
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-51L9R.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p19a9c50a58c8bcd7082384f7506df9c74bcb439d904efe09ba4687fab6b3234d
                                                                                    Imagebase:0x4a0000
                                                                                    File size:847'360 bytes
                                                                                    MD5 hash:6482EE0F372469D1190C74BD70D76153
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:14:31:27
                                                                                    Start date:07/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7e2000000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >