Windows Analysis Report
PlasmaSetup@LR_2.exe

Overview

General Information

Sample name:	PlasmaSetup@LR_2.exe
Analysis ID:	1579303
MD5:	3443898e0b0bd2a27c1bcebfe41b702e
SHA1:	3d83edc844cb4c011e9a5a554fe99a6f128e21ca
SHA256:	de4c90695da23b3ed3a399bf5cdc2e5f85f3c074180480b19fb54dcb0ece007f
Infos:

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Machine Learning detection for dropped file

Checks if the current process is being debugged

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Signatures

AV Detection

Machine Learning detection for dropped file

Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected
Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected
Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected
Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected

Uses 32bit PE files

Source: PlasmaSetup@LR_2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\

One or more processes crash

Source: C:\Plasma\pmanager.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648

Uses 32bit PE files

Source: PlasmaSetup@LR_2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus25.winEXE@9/46@0/11

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma

Source: C:\Plasma\pmanager.exe	Mutant created: \Sessions\1\BaseNamedObjects\IB.SQL.MONITOR.Mutex4_1
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5076
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856
Source: C:\Plasma\pbrowser.exe	Mutant created: \Sessions\1\BaseNamedObjects\LDV_BROWSER
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3916

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File created: C:\Users\user\AppData\Local\Temp\nsn7F2F.tmp

Source: Yara match	File source: 0000000A.00000002.1448474464.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1655947520.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY

Source: PlasmaSetup@LR_2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Plasma\pbrowser.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pmanager.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pmanager.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pbrowser.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pmanager.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File read: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

Source: unknown	Process created: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe "C:\Users\user\Desktop\PlasmaSetup@LR_2.exe"
Source: unknown	Process created: C:\Plasma\pbrowser.exe "C:\Plasma\pbrowser.exe"
Source: unknown	Process created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
Source: C:\Plasma\pmanager.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648
Source: unknown	Process created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
Source: C:\Plasma\pmanager.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 624
Source: unknown	Process created: C:\Plasma\pbrowser.exe "C:\Plasma\pbrowser.exe"
Source: unknown	Process created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
Source: C:\Plasma\pmanager.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 620

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: cscapi.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: apphelp.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: urlmon.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: version.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: winmm.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: iertutil.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: srvcli.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: netutils.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: apphelp.dll
Source: C:\Plasma\pmanager.exe	Section loaded: version.dll
Source: C:\Plasma\pmanager.exe	Section loaded: winmm.dll
Source: C:\Plasma\pmanager.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pmanager.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pmanager.exe	Section loaded: gds32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pmanager.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: version.dll
Source: C:\Plasma\pmanager.exe	Section loaded: winmm.dll
Source: C:\Plasma\pmanager.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pmanager.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pmanager.exe	Section loaded: gds32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pmanager.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: urlmon.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: version.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: winmm.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: iertutil.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: srvcli.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: netutils.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: version.dll
Source: C:\Plasma\pmanager.exe	Section loaded: winmm.dll
Source: C:\Plasma\pmanager.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pmanager.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pmanager.exe	Section loaded: gds32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pmanager.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File written: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\ioSpecial.ini

Source: C:\Plasma\pbrowser.exe

Window found: window name: TEdit

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PlasmaSetup@LR_2.exe

Static file information: File size 2046487 > 1048576

Drops PE files

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\pmarquee.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\pbrowser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\Switcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\pmanager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\uninst.exe	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Manager.lnk
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Browser.lnk
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Website.lnk
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Uninstall.lnk

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Plasma\pbrowser.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Plasma\pmanager.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Plasma\pmanager.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Plasma\pbrowser.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Plasma\pmanager.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Plasma\pmanager.exe	Window / User API: threadDelayed 2268
Source: C:\Plasma\pmanager.exe	Window / User API: threadDelayed 4093
Source: C:\Plasma\pmanager.exe	Window / User API: threadDelayed 824

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\pmarquee.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\Switcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\pmanager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\uninst.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Plasma\pmanager.exe TID: 6408	Thread sleep count: 58 > 30
Source: C:\Plasma\pmanager.exe TID: 1488	Thread sleep count: 31 > 30
Source: C:\Plasma\pmanager.exe TID: 1488	Thread sleep count: 4093 > 30
Source: C:\Plasma\pmanager.exe TID: 1344	Thread sleep count: 42 > 30
Source: C:\Plasma\pmanager.exe TID: 1344	Thread sleep count: 89 > 30
Source: C:\Plasma\pmanager.exe TID: 4008	Thread sleep count: 824 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Plasma\pbrowser.exe

File opened: PHYSICALDRIVE0

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\

Checks if the current process is being debugged

Source: C:\Plasma\pmanager.exe	Process queried: DebugPort
Source: C:\Plasma\pmanager.exe	Process queried: DebugPort
Source: C:\Plasma\pmanager.exe	Process queried: DebugPort

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.182.143.212	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.21	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Name	Type	MD5	SHA1	SHA256
C:\Plasma\AKISDB.FDB	data	E172FCCDBD2AE7137ECFC6ED8C0DC163	DAB22F8226C56ECDC3CC9E13E422C7399643A02C	625BF3AD5AB727E9918C812FC2E1E79408A11946DF931EE100747AF91DB7BA77
C:\Plasma\Arabicp.ini	ISO-8859 text, with CRLF, LF line terminators	D534FCE9736A58549E4850BDFB8CA316	AD9601900E9D2C99435A5137FF02E70F32BB6C72	551B9941F1E1B39DC81F5C20BB7602237862DC026643AD0F09848CA73BF24427
C:\Plasma\Englishp.ini	ASCII text, with CRLF line terminators	0E1234A7EA37A7881C8F9148DABD45C6	E5F53E1184BFDE14CC4B21169783738B1BD7D0D1	6A634AEA1156345CC401C5AFAAB1E5907B158DA76ED85B0031078567EC1E93FC
C:\Plasma\Lithuansw.ini	ISO-8859 text, with CRLF line terminators	A33EB4D5FE1F920301C55E6085EDBE4D	5E74F825B40B4F7B22897BBE5EDC3AF04DF95486	8728F982D19B6B4217272C96603C252F8276E7EABC0F3C876EF178FC8B6E3C34
C:\Plasma\PLASMA.HLP	MS Windows 3.1 help, Thu Sep 14 12:44:24 2006, 5564 bytes	9A9F5FAD1FB0C573AEA5E9EE1A2ADBAC	EAE61C5FFAEC94DC2659C6B428BFE56D87B24DD0	3EDB79A4A683A68E11179D8DFDC73C917122BF9AD6C2D4656805F7C61AA4E450
C:\Plasma\Plasma.url	MS Windows 95 Internet shortcut text (URL=<http://www.tipas.lt/>), ASCII text, with CRLF line terminators	FC29AF24D943C5310D45F20385D325A6	79BAE63BF7961BB23F1608129AEC7A54683F4C89	355B52961A7EA01A691FCE3ED033EC8C6ECCBE41C728500320FA464A3E86A527
C:\Plasma\Polishp.ini	Non-ISO extended-ASCII text, with CRLF line terminators	BBEBA1EEDDCE8E8FA541EBC0D4A6345B	97006D0E0BFD23D09DE9C37207E9CC6FF800D16E	669778D94CE77B919285DB7DB43B5498782E4C8E949BB758D3786750A4714317
C:\Plasma\Polishsw.ini	ISO-8859 text, with CRLF line terminators	43DC7F1E23E9E63573CEE3D965FDC56B	3B02C56C5D1CE373B8CA66FCBE40EBDA1A89B090	C3C4818F3C8BF7FA0B95047BBA6353EB742610293EE08931CF3676885E85C251
C:\Plasma\Russianp.ini	ISO-8859 text, with CRLF line terminators	3CE6FC79ABF71199E374C43E6357C7CE	DBAA15260E6F9A6AB92FEF9863BE9CF4EADA5696	6BD1483B23EB3B7446B1BABC3B0C7CEA3990072B23CB73326CA6CAD5C638ACF0
C:\Plasma\Russiansw.ini	ISO-8859 text, with CRLF line terminators	5C7CDF2091389247FCE1FF3A048F6E26	CE247D56F02805E15540A8378AD1208942CABED9	9788C1FCA6ECEC810EB50C90CE425648870D604EC8F61F6E199B3321D1F85606
C:\Plasma\Switcher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1DBE55284443373424CDACDFE05743D6	86CE06DFB160EDE7637052B5A98218BBCF7C774F	68581C13221CF66A403D205D73E1B8D0484826B1BA7C56E1B5788052FBB6205E
C:\Plasma\TVTuner.htm	HTML document, ASCII text, with CRLF line terminators	8CF8283B22DEC5FBB208CE7956229BD7	AAEE9C841A5015505224CF176252C73427017DA1	2DE3473101F2581EEB2954BA3370DF5680D11C165E4DD6C00EA42D8C9D149AB4
C:\Plasma\dvd_template.htm	HTML document, ASCII text, with CRLF line terminators	28A877653797AD125534DFE741D63D01	952458208ABC20C587B2FDAB964A4790BE0529D3	D8862B48DAA870A825DC051E58C4A643DFBEAF671F57CE70C3955C90024DEF4F
C:\Plasma\empty_template.htm	HTML document, ASCII text, with CRLF line terminators	B2F07009CD2DE818857AA08A7E2C938F	F851986606807B559D4405FA172DE892F8BD63CB	A1AF951605377D9ECCB3056B6491B0907A56669C55C339ABBEBFEF11AAF6E5FB
C:\Plasma\film_template.htm	HTML document, ASCII text, with CRLF line terminators	F00DA3892F8B9742D99EAC1C70158430	72BE1A8A42BA878BD1C16BD1A17C1A8CF448065E	103E7E284CFAC2CF7AA291C29C91522F7D16379CA5C119C6B03BE5083402601A
C:\Plasma\film_template_VLC.htm	HTML document, ASCII text, with CRLF line terminators	67D86D099C83137CBC23AC9C17535D73	F6915DD33D71B5E28A3BC764B98424F0CC6BD2E1	D64B555B14182CD54AF01D955D3C68B7A453953EC78252C380E1E9B9A92B0579
C:\Plasma\flash_template.htm	HTML document, ASCII text, with CRLF line terminators	6C06D40B6EC4FD517AC2E36965429007	56EA2FA79765F895AE5CC48091EA0498BB434A73	859418D6AE870AE963703733B4A0B65EE4EBC2C1204213675F95CD4C5CB5C5BF
C:\Plasma\img_template.htm	HTML document, ASCII text, with CRLF line terminators	FE876A19B96F046C4CB009D677B288A8	D05A509569DC2D2D99905E81C4073448E491843F	57AB2AE2C711A7FFABC6D01806EA21A228A00FB7629816FFBA0A69ECB97FE875
C:\Plasma\pbrowser.LIC	ASCII text, with CRLF line terminators	AD37BA1B24D45F617F2CEA42F6475140	7D18AE15779B4E7EC0422316A09B0C08B5A5962A	9F005EDAF5E4EDA2C2C0E4F028219A12AFD30D7C13F163BC730B48FA7DC707FC
C:\Plasma\pbrowser.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0FFB6543E6E60C895920EFD6BB947630	6D4EBD4954023F1EA69D10C22030179E710BDEC5	F86EA20D2063B492544C73A9FE6DE0A8271EE4C292125D9CA9642FD6F70A77C4
C:\Plasma\pmanager.exe	PE32 executable (GUI) Intel 80386, for MS Windows	577686D8E6EDA9E05504BDD0A2E12BE7	1B6297F85D5B1BE66763CF7C500722567E476BAD	CCC528548CF832C745701474EDA4C355815A05484EF96EFF630751451D1CC43D
C:\Plasma\pmarquee.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0E8CC8043E564DCD1C3E101969DAAC69	2382A93AC0E30CBB30199128AA51C7FE56D6AF43	50264F34F96540084F166A97199E726B203C11476E908F4D74D0458445E8B611
C:\Plasma\uninst.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	CACF354184D563CCBABAC0EE6BA7F396	A3FC140B51B5061FBBAE406C23EA860E4969A7D9	B76549696E8D925594E0802B697ABA7E8C5CD15D3940A30CAA572F6629B6AE9A
C:\Plasma\unistr.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8B924E5590FCC395A818CF360783C666	F1B223FC951C84BDA48791C460AD9374E9F22BF5	D39F1C40ABB042EDE08E307176EF905C749BA1FEA99C97FE091EE487D6DF6FA9
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pmanager.exe_8fbfe26353771c42d2099f513f03c31e2638e2_78c312fa_105b4730-6843-4b6e-ac83-c949d0250b84\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	99D223C28A8EDEEB4E2664AEE795924B	D8CFBFD918D79D0D1B6E5778401CAB68E1859D7A	20D38DC9288FD4892B4578561ED9E36E2299C2FEDEDE7B55AAA20E872909F7D3
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pmanager.exe_8fbfe26353771c42d2099f513f03c31e2638e2_78c312fa_15d6b9e6-acb0-424a-ac38-5fdc254995e6\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1102822F809142499913FAEE68B44095	387338419FC75E69BD6EA966D4EA9F2A28FD28AC	4933469A8C47B0D9254CB72CE12DC0BD4C558BF111F3D1CD16168456C21E8AF8
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pmanager.exe_8fbfe26353771c42d2099f513f03c31e2638e2_78c312fa_c2afb5d5-c6fd-4afc-b662-586a033862a7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	FD0480ADE0B78837663EF73D9BFB5ADE	941594E346A42EE1C03C98AEEBC716AA36EB272B	241E45FC14279062F8C504CC8D2DD830483574039FA23966A5E8DCEE446E9028
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1350.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Dec 21 13:27:49 2024, 0x1205a4 type	B82D3368558420699FB6BC0135915241	AAE24DA4E1094C9F963525D0153BF7200C33A853	F55736D8B8DBAF48E899215DC2E21BE3B13D721D9E734660E8A90A871C448CF4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13AF.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A97E41A8C2737D4A79B8E6BF13765AFC	01C2A027FD32282B1D5A3D4CA2690A93DBA12003	34417CC3C58E748855A45BEA183625AD14D6A54D69C5ECEC8B3298C3E1A9A739
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13CF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EE31E16D1203354331D6594E939EDEC2	B1EC47E5FA96339C3F336C68FF70E587CC0ED56A	100A3C2FB9B4E4CC110B1423EF245E8805737C2DB506C71F32D070AC221EA1CB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA06D.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Dec 21 13:28:25 2024, 0x1205a4 type	22041767487AC81618362A019FF581BF	F74E1D721C30317749BB6B151CBEC1BC3BECD945	70E0BDBD908D2626A4FFA618E390CB55323DD2172ACAFBFDCCF3FFC2D98AD93A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0AD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7B654EB0837462817FB123F7DCB296B8	667DB14EAC97B7250EC30D0DD9DCA750E71E257E	80E36FECD1C5FD51F51C0605EB0AFE7776CF0D17631A2A9178C9D039D9A227F5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0CD.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A878535ABFE887190C06B733FCC5ACD5	24630B3A0E7C3A637142A61FD69F6058F6E8753E	D73334945A4CC54D0CDFECB70F54ED13C20D836C2A01315CED622211D4593A0A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF902.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Dec 21 13:27:42 2024, 0x1205a4 type	AE9F837013F7ED9DB7EA7FC73BE73641	C025E48AF179C5A5C3A4D65DC1502A658E531AE6	4203840D01D1888665A5CADC3E0461D83A3EA477CECD8990ABC97BCF76A67167
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF990.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B4DF0D3903C731E85799AE1B02DB2C97	732E120199CC853DF41BDDE35D6C805370E427D9	88482A7CD7D2B1AE3F152318D236DDB0236C90C216E57723E4F4009895731E2C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9B0.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	42E7F51A07270A890632B980B82D9B29	BE58D8BCE13D96769E860D9D0933908309111035	7B7A8914CC98717A27B2E2831656A43BADF217A4DB17F3F19E1C31D09A783B77
C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F62D03FCB1473110E920A9BB2C701006	C48444EF2DAA60DCDF91F1645CD4ECD8E66545F7	17E2F205AF12D5A86638DC83C95FC69199C41AF2FA6DAEB1E91EC330F68C5372
C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C9AC0758CE8C10793D39655064C653CB	8BA1F9DFCC671B5102F5940DA67570C28252BC71	161D69C50E5C50D853FDA129B6F6F6BC241214B87D13A33BF93543E7E6886119
C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\ioSpecial.ini	Generic INItialization configuration [Field 1]	6BC3A03A4D2B934F8DF9B89AAD1F297D	2E907F8AB59FCC91D556D455C3F0DD88B1F64FA1	BA10F15EE6D2C6939ABAD00D029EDCD8C75E0A409B70F518190F51974300873A
C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\modern-wizard.bmp	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118	CBE40FD2B1EC96DAEDC65DA172D90022	366C216220AA4329DFF6C485FD0E9B0F4F0A7944	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Browser.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:08 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:08 2010, length=551936, window=hide	A5AE8B2C607D146CEA1EE680C3A5C25A	B35A89F700065B3B79F0849EBB67290E81A41F39	6E92E41AE1FC60B5C152CF50C92BE2029C1DFAC9696477D169BD5C8CB388D5F5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Manager.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:28 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:28 2010, length=647168, window=hide	FAABD6D432BA62D5F219BA0BF9FB3FD5	6AAEF0BF92AC54DC17D2C307607D8EA6B3AB562A	F079DFEF4847C5D25228C4A840CEAF8E6C587D70A563127F8AB170AB051D73D6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Uninstall.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide	85F75995C1668699EFCA3689B18AAAAF	BCF7A25E72C69FD4959A9A426891F3243BB5565D	C661ABFD6D4E5D360A591BD975980A400E3495CBFDF5DEAD8BC88C4C5520E172
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Website.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Dec 21 12:27:31 2024, mtime=Sat Dec 21 12:27:31 2024, atime=Sat Dec 21 12:27:31 2024, length=46, window=hide	D22C9812CB97245A0E8A6B6FED0138C1	A95D84119D0016D7F8D4EEC824CB2C66CE2437A0	6461B752A9DDACFE71E25E00AFE5F915A00613CF90AF8CCB216FFB97A05D40CE
C:\Users\user\Desktop\Browser.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:08 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:08 2010, length=551936, window=hide	B56FB70EB43918AC88B8BF849DADF845	F37224A2F49190CEEF600B6388FB11BAD3C2BF7C	C390A791A6DC1371C86758E3D1998EA1C834C9475A70D8C1DE72777EC68EEDE2
C:\Users\user\Desktop\Manager.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:28 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:28 2010, length=647168, window=hide	93D864E617A5A6AB19987AA9572DBE61	C1CBE5C8A9BCDC10A8053925BDFF7DD71D03706B	4CFAAC108F078528D2F67C141BC233244D0C81AF639490BD9D8C68EB284FA316

AV Detection

Machine Learning detection for dropped file

Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected
Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected
Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected
Source: C:\Plasma\Switcher.exe	Joe Sandbox ML: detected
Source: C:\Plasma\pmarquee.exe	Joe Sandbox ML: detected

Uses 32bit PE files

Source: PlasmaSetup@LR_2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\

One or more processes crash

Source: C:\Plasma\pmanager.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648

Uses 32bit PE files

Source: PlasmaSetup@LR_2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus25.winEXE@9/46@0/11

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma

Source: C:\Plasma\pmanager.exe	Mutant created: \Sessions\1\BaseNamedObjects\IB.SQL.MONITOR.Mutex4_1
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5076
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856
Source: C:\Plasma\pbrowser.exe	Mutant created: \Sessions\1\BaseNamedObjects\LDV_BROWSER
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3916

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File created: C:\Users\user\AppData\Local\Temp\nsn7F2F.tmp

Source: Yara match	File source: 0000000A.00000002.1448474464.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1655947520.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY

Source: PlasmaSetup@LR_2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Plasma\pbrowser.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pmanager.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pmanager.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pbrowser.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Plasma\pmanager.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File read: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

Source: unknown	Process created: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe "C:\Users\user\Desktop\PlasmaSetup@LR_2.exe"
Source: unknown	Process created: C:\Plasma\pbrowser.exe "C:\Plasma\pbrowser.exe"
Source: unknown	Process created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
Source: C:\Plasma\pmanager.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648
Source: unknown	Process created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
Source: C:\Plasma\pmanager.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 624
Source: unknown	Process created: C:\Plasma\pbrowser.exe "C:\Plasma\pbrowser.exe"
Source: unknown	Process created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
Source: C:\Plasma\pmanager.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 620

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Section loaded: cscapi.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: apphelp.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: urlmon.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: version.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: winmm.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: iertutil.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: srvcli.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: netutils.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: apphelp.dll
Source: C:\Plasma\pmanager.exe	Section loaded: version.dll
Source: C:\Plasma\pmanager.exe	Section loaded: winmm.dll
Source: C:\Plasma\pmanager.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pmanager.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pmanager.exe	Section loaded: gds32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pmanager.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: version.dll
Source: C:\Plasma\pmanager.exe	Section loaded: winmm.dll
Source: C:\Plasma\pmanager.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pmanager.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pmanager.exe	Section loaded: gds32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pmanager.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: urlmon.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: version.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: winmm.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: iertutil.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: srvcli.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: netutils.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pbrowser.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: version.dll
Source: C:\Plasma\pmanager.exe	Section loaded: winmm.dll
Source: C:\Plasma\pmanager.exe	Section loaded: uxtheme.dll
Source: C:\Plasma\pmanager.exe	Section loaded: olepro32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: kernel.appcore.dll
Source: C:\Plasma\pmanager.exe	Section loaded: gds32.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textshaping.dll
Source: C:\Plasma\pmanager.exe	Section loaded: textinputframework.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coreuicomponents.dll
Source: C:\Plasma\pmanager.exe	Section loaded: coremessaging.dll
Source: C:\Plasma\pmanager.exe	Section loaded: ntmarta.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll
Source: C:\Plasma\pmanager.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe

File written: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\ioSpecial.ini

Source: C:\Plasma\pbrowser.exe

Window found: window name: TEdit

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PlasmaSetup@LR_2.exe

Static file information: File size 2046487 > 1048576

Drops PE files

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\pmarquee.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\pbrowser.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\Switcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\pmanager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Plasma\uninst.exe	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Manager.lnk
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Browser.lnk
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Website.lnk
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Uninstall.lnk

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Plasma\pbrowser.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Plasma\pmanager.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Plasma\pmanager.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Plasma\pbrowser.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Plasma\pmanager.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Plasma\pmanager.exe	Window / User API: threadDelayed 2268
Source: C:\Plasma\pmanager.exe	Window / User API: threadDelayed 4093
Source: C:\Plasma\pmanager.exe	Window / User API: threadDelayed 824

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\pmarquee.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\Switcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\pmanager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Dropped PE file which has not been started: C:\Plasma\uninst.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Plasma\pmanager.exe TID: 6408	Thread sleep count: 58 > 30
Source: C:\Plasma\pmanager.exe TID: 1488	Thread sleep count: 31 > 30
Source: C:\Plasma\pmanager.exe TID: 1488	Thread sleep count: 4093 > 30
Source: C:\Plasma\pmanager.exe TID: 1344	Thread sleep count: 42 > 30
Source: C:\Plasma\pmanager.exe TID: 1344	Thread sleep count: 89 > 30
Source: C:\Plasma\pmanager.exe TID: 4008	Thread sleep count: 824 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Plasma\pbrowser.exe

File opened: PHYSICALDRIVE0

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	File opened: C:\Users\user\AppData\Local\Temp\

Checks if the current process is being debugged

Source: C:\Plasma\pmanager.exe	Process queried: DebugPort
Source: C:\Plasma\pmanager.exe	Process queried: DebugPort
Source: C:\Plasma\pmanager.exe	Process queried: DebugPort

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe	Queries volume information: C:\ VolumeInformation

ID:	1579303
Product:	CloudBasic
Start time:	14:26:42
Start date:	21.12.2024
Sample:	PlasmaSetup@LR_2.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3443898e0b0bd2a27c1bcebfe41b702e
SHA1:	3d83edc844cb4c011e9a5a554fe99a6f128e21ca
SHA256:	de4c90695da23b3ed3a399bf5cdc2e5f85f3c074180480b19fb54dcb0ece007f
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Windows Analysis Report
PlasmaSetup@LR_2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report PlasmaSetup@LR_2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report
PlasmaSetup@LR_2.exe