Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PlasmaSetup@LR_2.exe

Overview

General Information

Sample name:PlasmaSetup@LR_2.exe
Analysis ID:1579303
MD5:3443898e0b0bd2a27c1bcebfe41b702e
SHA1:3d83edc844cb4c011e9a5a554fe99a6f128e21ca
SHA256:de4c90695da23b3ed3a399bf5cdc2e5f85f3c074180480b19fb54dcb0ece007f
Infos:

Detection

Score:25
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Machine Learning detection for dropped file
Checks if the current process is being debugged
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • PlasmaSetup@LR_2.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\PlasmaSetup@LR_2.exe" MD5: 3443898E0B0BD2A27C1BCEBFE41B702E)
  • pbrowser.exe (PID: 6488 cmdline: "C:\Plasma\pbrowser.exe" MD5: 0FFB6543E6E60C895920EFD6BB947630)
  • pmanager.exe (PID: 4856 cmdline: "C:\Plasma\pmanager.exe" MD5: 577686D8E6EDA9E05504BDD0A2E12BE7)
    • WerFault.exe (PID: 5564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • pmanager.exe (PID: 5076 cmdline: "C:\Plasma\pmanager.exe" MD5: 577686D8E6EDA9E05504BDD0A2E12BE7)
    • WerFault.exe (PID: 5552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • pbrowser.exe (PID: 6004 cmdline: "C:\Plasma\pbrowser.exe" MD5: 0FFB6543E6E60C895920EFD6BB947630)
  • pmanager.exe (PID: 3916 cmdline: "C:\Plasma\pmanager.exe" MD5: 577686D8E6EDA9E05504BDD0A2E12BE7)
    • WerFault.exe (PID: 1820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 620 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1448474464.0000000000401000.00000040.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    00000010.00000002.1655947520.0000000000401000.00000040.00000001.01000000.0000000D.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Machine Learning detection for dropped file
      Source: C:\Plasma\Switcher.exeJoe Sandbox ML: detected
      Source: C:\Plasma\pmarquee.exeJoe Sandbox ML: detected
      Source: C:\Plasma\Switcher.exeJoe Sandbox ML: detected
      Source: C:\Plasma\pmarquee.exeJoe Sandbox ML: detected
      Source: C:\Plasma\Switcher.exeJoe Sandbox ML: detected
      Source: C:\Plasma\pmarquee.exeJoe Sandbox ML: detected
      Source: C:\Plasma\Switcher.exeJoe Sandbox ML: detected
      Source: C:\Plasma\pmarquee.exeJoe Sandbox ML: detected
      Source: PlasmaSetup@LR_2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\Temp\
      Source: C:\Plasma\pmanager.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648
      Source: PlasmaSetup@LR_2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: sus25.winEXE@9/46@0/11
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma
      Source: C:\Plasma\pmanager.exeMutant created: \Sessions\1\BaseNamedObjects\IB.SQL.MONITOR.Mutex4_1
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5076
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856
      Source: C:\Plasma\pbrowser.exeMutant created: \Sessions\1\BaseNamedObjects\LDV_BROWSER
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3916
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Local\Temp\nsn7F2F.tmp
      Source: Yara matchFile source: 0000000A.00000002.1448474464.0000000000401000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.1655947520.0000000000401000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
      Source: PlasmaSetup@LR_2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Plasma\pbrowser.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Plasma\pmanager.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Plasma\pmanager.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Plasma\pbrowser.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Plasma\pmanager.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile read: C:\Users\desktop.ini
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile read: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      Source: unknownProcess created: C:\Users\user\Desktop\PlasmaSetup@LR_2.exe "C:\Users\user\Desktop\PlasmaSetup@LR_2.exe"
      Source: unknownProcess created: C:\Plasma\pbrowser.exe "C:\Plasma\pbrowser.exe"
      Source: unknownProcess created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
      Source: C:\Plasma\pmanager.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 648
      Source: unknownProcess created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
      Source: C:\Plasma\pmanager.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 624
      Source: unknownProcess created: C:\Plasma\pbrowser.exe "C:\Plasma\pbrowser.exe"
      Source: unknownProcess created: C:\Plasma\pmanager.exe "C:\Plasma\pmanager.exe"
      Source: C:\Plasma\pmanager.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 620
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: apphelp.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: acgenral.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: winmm.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: samcli.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: msacm32.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: version.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: userenv.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: dwmapi.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: urlmon.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: mpr.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: sspicli.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: winmmbase.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: winmmbase.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: iertutil.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: srvcli.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: netutils.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: aclayers.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: sfc.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: sfc_os.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: shfolder.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: windows.storage.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: wldp.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: propsys.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: textinputframework.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: coreuicomponents.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: coremessaging.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: ntmarta.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: wintypes.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: wintypes.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: wintypes.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: textshaping.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: riched20.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: usp10.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: msls31.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: profapi.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: linkinfo.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: ntshrui.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeSection loaded: cscapi.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: apphelp.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: urlmon.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: version.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: winmm.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: iertutil.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: srvcli.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: netutils.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: uxtheme.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: olepro32.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: kernel.appcore.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: textshaping.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: textinputframework.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: coreuicomponents.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: coremessaging.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: ntmarta.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: apphelp.dll
      Source: C:\Plasma\pmanager.exeSection loaded: version.dll
      Source: C:\Plasma\pmanager.exeSection loaded: winmm.dll
      Source: C:\Plasma\pmanager.exeSection loaded: uxtheme.dll
      Source: C:\Plasma\pmanager.exeSection loaded: olepro32.dll
      Source: C:\Plasma\pmanager.exeSection loaded: kernel.appcore.dll
      Source: C:\Plasma\pmanager.exeSection loaded: gds32.dll
      Source: C:\Plasma\pmanager.exeSection loaded: textshaping.dll
      Source: C:\Plasma\pmanager.exeSection loaded: textinputframework.dll
      Source: C:\Plasma\pmanager.exeSection loaded: coreuicomponents.dll
      Source: C:\Plasma\pmanager.exeSection loaded: coremessaging.dll
      Source: C:\Plasma\pmanager.exeSection loaded: ntmarta.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: version.dll
      Source: C:\Plasma\pmanager.exeSection loaded: winmm.dll
      Source: C:\Plasma\pmanager.exeSection loaded: uxtheme.dll
      Source: C:\Plasma\pmanager.exeSection loaded: olepro32.dll
      Source: C:\Plasma\pmanager.exeSection loaded: kernel.appcore.dll
      Source: C:\Plasma\pmanager.exeSection loaded: gds32.dll
      Source: C:\Plasma\pmanager.exeSection loaded: textshaping.dll
      Source: C:\Plasma\pmanager.exeSection loaded: textinputframework.dll
      Source: C:\Plasma\pmanager.exeSection loaded: coreuicomponents.dll
      Source: C:\Plasma\pmanager.exeSection loaded: coremessaging.dll
      Source: C:\Plasma\pmanager.exeSection loaded: ntmarta.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: urlmon.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: version.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: winmm.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: iertutil.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: srvcli.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: netutils.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: uxtheme.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: olepro32.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: kernel.appcore.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: textshaping.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: textinputframework.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: coreuicomponents.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: coremessaging.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: ntmarta.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pbrowser.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: version.dll
      Source: C:\Plasma\pmanager.exeSection loaded: winmm.dll
      Source: C:\Plasma\pmanager.exeSection loaded: uxtheme.dll
      Source: C:\Plasma\pmanager.exeSection loaded: olepro32.dll
      Source: C:\Plasma\pmanager.exeSection loaded: kernel.appcore.dll
      Source: C:\Plasma\pmanager.exeSection loaded: gds32.dll
      Source: C:\Plasma\pmanager.exeSection loaded: textshaping.dll
      Source: C:\Plasma\pmanager.exeSection loaded: textinputframework.dll
      Source: C:\Plasma\pmanager.exeSection loaded: coreuicomponents.dll
      Source: C:\Plasma\pmanager.exeSection loaded: coremessaging.dll
      Source: C:\Plasma\pmanager.exeSection loaded: ntmarta.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Plasma\pmanager.exeSection loaded: wintypes.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile written: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\ioSpecial.ini
      Source: C:\Plasma\pbrowser.exeWindow found: window name: TEdit
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: PlasmaSetup@LR_2.exeStatic file information: File size 2046487 > 1048576
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Plasma\pmarquee.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Plasma\pbrowser.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dllJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dllJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Plasma\Switcher.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Plasma\pmanager.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Plasma\uninst.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Manager.lnk
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Browser.lnk
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Website.lnk
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Uninstall.lnk
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Plasma\pbrowser.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Plasma\pmanager.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Plasma\pmanager.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Plasma\pbrowser.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Plasma\pmanager.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Plasma\pmanager.exeWindow / User API: threadDelayed 2268
      Source: C:\Plasma\pmanager.exeWindow / User API: threadDelayed 4093
      Source: C:\Plasma\pmanager.exeWindow / User API: threadDelayed 824
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeDropped PE file which has not been started: C:\Plasma\pmarquee.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dllJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dllJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeDropped PE file which has not been started: C:\Plasma\Switcher.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeDropped PE file which has not been started: C:\Plasma\pmanager.exeJump to dropped file
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeDropped PE file which has not been started: C:\Plasma\uninst.exeJump to dropped file
      Source: C:\Plasma\pmanager.exe TID: 6408Thread sleep count: 58 > 30
      Source: C:\Plasma\pmanager.exe TID: 1488Thread sleep count: 31 > 30
      Source: C:\Plasma\pmanager.exe TID: 1488Thread sleep count: 4093 > 30
      Source: C:\Plasma\pmanager.exe TID: 1344Thread sleep count: 42 > 30
      Source: C:\Plasma\pmanager.exe TID: 1344Thread sleep count: 89 > 30
      Source: C:\Plasma\pmanager.exe TID: 4008Thread sleep count: 824 > 30
      Source: C:\Plasma\pbrowser.exeFile opened: PHYSICALDRIVE0
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile Volume queried: C:\ FullSizeInformation
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile Volume queried: C:\ FullSizeInformation
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeFile opened: C:\Users\user\AppData\Local\Temp\
      Source: C:\Plasma\pmanager.exeProcess queried: DebugPort
      Source: C:\Plasma\pmanager.exeProcess queried: DebugPort
      Source: C:\Plasma\pmanager.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\PlasmaSetup@LR_2.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      Process Injection      		1
      Masquerading      		OS Credential Dumping2
      Security Software Discovery      		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      DLL Side-Loading      		3
      Virtualization/Sandbox Evasion      		LSASS Memory3
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Registry Run Keys / Startup Folder      		1
      Process Injection      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      DLL Side-Loading      		NTDS3
      File and Directory Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll0%VirustotalBrowse
      C:\Plasma\Switcher.exe100%Joe Sandbox ML
      C:\Plasma\pmarquee.exe100%Joe Sandbox ML
      C:\Plasma\Switcher.exe7%ReversingLabs
      C:\Plasma\Switcher.exe5%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll0%ReversingLabs
      C:\Plasma\Switcher.exe100%Joe Sandbox ML
      C:\Plasma\pmarquee.exe100%Joe Sandbox ML
      C:\Plasma\Switcher.exe100%Joe Sandbox ML
      C:\Plasma\pmarquee.exe100%Joe Sandbox ML
      C:\Plasma\Switcher.exe100%Joe Sandbox ML
      C:\Plasma\pmarquee.exe100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      52.182.143.212
      		unknownUnited States
      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
      20.189.173.21
      		unknownUnited States
      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1579303
      Start date and time:2024-12-21 14:26:42 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      Analysis Mode:stream
      Analysis stop reason:Timeout
      Sample name:PlasmaSetup@LR_2.exe
      Detection:SUS
      Classification:sus25.winEXE@9/46@0/11
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.182.143.212
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: C:\Plasma\pmanager.exe

      Created / dropped Files

      C:\Plasma\AKISDB.FDB

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:data
      Category:dropped
      Size (bytes):2691072
      Entropy (8bit):2.5236960767869427
      Encrypted:false
      SSDEEP:
      MD5:E172FCCDBD2AE7137ECFC6ED8C0DC163
      SHA1:DAB22F8226C56ECDC3CC9E13E422C7399643A02C
      SHA-256:625BF3AD5AB727E9918C812FC2E1E79408A11946DF931EE100747AF91DB7BA77
      SHA-512:885350E0E246EFDA677FD38D80A4CB5E60E948CDC58FC154FA82038FDFE82428A6CF50E6214C94AD0783DCB7DB1E261F8D00529814AC459E8A925C99E2AEDFB5
      Malicious:false
      Reputation:unknown
      Preview:..90........................................,....^.+..............`.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Plasma\Arabicp.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:ISO-8859 text, with CRLF, LF line terminators
      Category:dropped
      Size (bytes):6417
      Entropy (8bit):5.880322326496533
      Encrypted:false
      SSDEEP:
      MD5:D534FCE9736A58549E4850BDFB8CA316
      SHA1:AD9601900E9D2C99435A5137FF02E70F32BB6C72
      SHA-256:551B9941F1E1B39DC81F5C20BB7602237862DC026643AD0F09848CA73BF24427
      SHA-512:EEAEFBDD347B6F09E80B9BB9EDA154D2D6AF94589753086DA742FD6EE64A215C8D1EEC89884F62C4124AC327100E422C92218B94D9F07DF751E83B719769F93C
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..DTFMTSTR[1]=mm"/"dd"/"yyyy#32hh":"nn..DTFMTSTR[2]=mm.dd.yyyy#13hh:nn..DTFMTSTR[3]=mm"."dd"."yyyy##32#32#32#3232hh":"nn":"ss..DTFMTSTR[4]=mm"/"dd"/"yyyy#32hh":"nn":"ss..DTFMTSTR[5]=mm"/"dd"/"yyyy..MSGSTR[1]=..#32...#32....#32...#32.....#32...MSGSTR[2]=#32.......HTML..MSGSTR[3]=...#32...........MSGSTR[4]=......MSGSTR[5]=......MSGSTR[6]=....#32......#32..........MSGSTR[7]=........MSGSTR[8]=...#32.......MSGSTR[9]=%d#...#32......#32....32..MSGSTR[10]=%d#....#32.....32..MSGSTR[11]=##32#32#32#3232...#32......MSGSTR[12]=#32.........#322004T.I.P.A.S.#......32..MSGSTR[13]=%s#..#32...#32......#32...#32.....32..MSGSTR[14]=%s:#..#32.......#32......#32.......32..MSGSTR[15]=....#32.....#32....#32....#32.......#32....#32.....#32........MSGSTR[16]=.......#32...#32..#32....#32...#32......MSGSTR[17]=....#32.....#32...#32..#32....#32.....#32..#32.......MSGSTR[18]=......MSGSTR[19]=.....#32.....#32.......,#32..#32....#32....#32..#32...#32......DialogCaptions[0]=.......DialogCaption

      C:\Plasma\Englishp.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):6879
      Entropy (8bit):5.3570613078483715
      Encrypted:false
      SSDEEP:
      MD5:0E1234A7EA37A7881C8F9148DABD45C6
      SHA1:E5F53E1184BFDE14CC4B21169783738B1BD7D0D1
      SHA-256:6A634AEA1156345CC401C5AFAAB1E5907B158DA76ED85B0031078567EC1E93FC
      SHA-512:0B421135F0E0E6AA19433B093DEECEFEF9BE537DE08B901193BDABE83BD6E998A9750465E04A0C4D291CA32D214FD6D74B22E0DA60BCE75C27BDE4BC5854154B
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..DTFMTSTR[1]=mm"/"dd"/"yyyy#32hh":"nn..DTFMTSTR[2]=mm.dd.yyyy#13hh:nn..DTFMTSTR[3]=mm"."dd"."yyyy#32#32#32#32#32hh":"nn":"ss..DTFMTSTR[4]=mm"/"dd"/"yyyy#32hh":"nn":"ss..DTFMTSTR[5]=mm"/"dd"/"yyyy..MSGSTR[1]=Do#32you#32really#32want#32to#32delete#32#a32record#32?..MSGSTR[2]=HTML#32document..MSGSTR[3]=PowerPoint#32presentation ..MSGSTR[4]=Picture..MSGSTR[5]=Movie..MSGSTR[6]=Flash#32animation..MSGSTR[7]=Context..MSGSTR[8]=Unknown..MSGSTR[9]=New#32presentation#32%d..MSGSTR[10]=New#32fragment#32%d..MSGSTR[11]=#32#32#32#32#32Presentation#32manager..MSGSTR[12]=Copyright#32T.I.P.A.S.#32Ltd.#322004..MSGSTR[13]=File#32%s#32not#32found..MSGSTR[14]=Connected#32to#32database:#32%s..MSGSTR[15]=Action#32cancelled,#32delete#32all#32dependent#32records#32first..MSGSTR[16]=Field#32must#32have#32a#32value..MSGSTR[17]=Field#32value#32must#32be#32unique..MSGSTR[18]=Queue..MSGSTR[19]=Updating#32transaction#32conflict,#32please,#32try#32later..DialogCaptions[0]=Warning..DialogCaptions[

      C:\Plasma\Lithuansw.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):757
      Entropy (8bit):5.058778046111236
      Encrypted:false
      SSDEEP:
      MD5:A33EB4D5FE1F920301C55E6085EDBE4D
      SHA1:5E74F825B40B4F7B22897BBE5EDC3AF04DF95486
      SHA-256:8728F982D19B6B4217272C96603C252F8276E7EABC0F3C876EF178FC8B6E3C34
      SHA-512:9261FDEFBB64EA7E5D30CB7C1B7B3DCDDBC841161B1E1EBB2890F1A21EB8F58412503D573D0FC99FCA47134B3A8869FF7874D44E47232A911ED0FE2C3D1F5E14
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..MSGSTR[1]=Bandome#32.....MSGSTR[2]=Klaida#32!....DialogCaptions[0]=.sp.jimas..DialogCaptions[1]=Klaida..DialogCaptions[2]=Informacija..DialogCaptions[3]=Patvirtinkite..DialogCaptions[4]=..ButtonCaptions[0]=&Taip..ButtonCaptions[1]=&Ne..ButtonCaptions[2]=&T.sti..ButtonCaptions[3]=&At.aukti..ButtonCaptions[4]=&Nutraukti..ButtonCaptions[5]=&Kartoti..ButtonCaptions[6]=&Ignor...ButtonCaptions[7]=&Visus..ButtonCaptions[8]=&Ne#32visiems..ButtonCaptions[9]=&Taip#32visiems..ButtonCaptions[10]=&Pagalba....[SwitchFrm]..Caption=Kanal.#32perjungimas..Label10.Caption=IP#32adresas..Label11.Caption=Portas..Label1.Caption=#32Diapazonas#32..Label2.Caption=Kanalas..SwitchBtn.Caption=Jungti..TSCombo.Items[0]=Kabelin...TSCombo.Items[1]=Antena..

      C:\Plasma\PLASMA.HLP

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows 3.1 help, Thu Sep 14 12:44:24 2006, 5564 bytes
      Category:dropped
      Size (bytes):5564
      Entropy (8bit):3.0942332331108044
      Encrypted:false
      SSDEEP:
      MD5:9A9F5FAD1FB0C573AEA5E9EE1A2ADBAC
      SHA1:EAE61C5FFAEC94DC2659C6B428BFE56D87B24DD0
      SHA-256:3EDB79A4A683A68E11179D8DFDC73C917122BF9AD6C2D4656805F7C61AA4E450
      SHA-512:457B00BA14000CCD3B168B1B22074EEB984510E1B4A3D3E9456BD262A79DDAC84A4465EA97366B30230C87A5D130BFE7CE4DC72519C86DB8E4EFC2F355FF75C8
      Malicious:false
      Reputation:unknown
      Preview:?_..V...........F...=....l.!....2.E......Plasma...................................../...&....;)....z4......................................|CONTEXT.....|CTXOMAP.S...|FONT.....|SYSTEM.....|TOPIC.....|TTLBTREE.^.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Plasma\Plasma.url

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows 95 Internet shortcut text (URL=<http://www.tipas.lt/>), ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):46
      Entropy (8bit):4.447262499441209
      Encrypted:false
      SSDEEP:
      MD5:FC29AF24D943C5310D45F20385D325A6
      SHA1:79BAE63BF7961BB23F1608129AEC7A54683F4C89
      SHA-256:355B52961A7EA01A691FCE3ED033EC8C6ECCBE41C728500320FA464A3E86A527
      SHA-512:552971F6EC861DB322B9C70BB669F12186327DEB7D30C81F64BB7054830A6BEAA0665267238FBFE4590F45DF0F63765BFCC5429929F08BECECE14DA8F5937C56
      Malicious:false
      Reputation:unknown
      Preview:[InternetShortcut]..URL=http://www.tipas.lt/..

      C:\Plasma\Polishp.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:Non-ISO extended-ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):7151
      Entropy (8bit):5.540409986482806
      Encrypted:false
      SSDEEP:
      MD5:BBEBA1EEDDCE8E8FA541EBC0D4A6345B
      SHA1:97006D0E0BFD23D09DE9C37207E9CC6FF800D16E
      SHA-256:669778D94CE77B919285DB7DB43B5498782E4C8E949BB758D3786750A4714317
      SHA-512:B390572CE3630BC73F16A6FAC4E527CD9A05808734731E89E12DD1682019CE1B48967598F0A020903D8D2767A63B251787E1502999CAD3A96636786CB2187D8C
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..DTFMTSTR[1]=yyyy"/"mm"/"dd#32hh":"nn..DTFMTSTR[2]=yyyy.mm.dd#13hh:nn..DTFMTSTR[3]=yyyy"."mm"."dd#32#32#32#32#32hh":"nn":"ss..DTFMTSTR[4]=yyyy"/"mm"/"dd#32hh":"nn":"ss..DTFMTSTR[5]=yyyy"/"mm"/"dd..MSGSTR[1]=Czy#32naprawd.#32chcecie#32usun..#32zapis#32?..MSGSTR[2]=HTML#32dokument..MSGSTR[3]=Prezentacja#32PowerPoint ..MSGSTR[4]=Obrazek..MSGSTR[5]=Film..MSGSTR[6]=Animacja#32Flash..MSGSTR[7]=Kontekstowy..MSGSTR[8]=Niewiadomy..MSGSTR[9]=Nowa#32prezentacja#32%d..MSGSTR[10]=Nowy#32fragment#32%d..MSGSTR[11]=#32#32#32#32#32Kierowanie#32prezentacjami..MSGSTR[12]=Copyright#32UAB#32"TIPAS"#322007..MSGSTR[13]=Plik#32%s#32nie#32znaleziono..MSGSTR[14]=Korzystamy#32z#32bazy#32danych:#32%s..MSGSTR[15]=Operacja#32odwo.ana,#32najpierw#32usun..#32wszystkie#32zale.ne#32zapisy..MSGSTR[16]=Pole#32powinno#32by.#32wype.nione..MSGSTR[17]=Znaczenie#32pola#32powinno#32by.#32unikalne..MSGSTR[18]=Kolejka..MSGSTR[19]=Konflikt#32odnawiaj.cych#32tranzakcji,#32spr.bowa.#32p.niej..MSGSTR[20]=Miej

      C:\Plasma\Polishsw.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):742
      Entropy (8bit):5.222374336592148
      Encrypted:false
      SSDEEP:
      MD5:43DC7F1E23E9E63573CEE3D965FDC56B
      SHA1:3B02C56C5D1CE373B8CA66FCBE40EBDA1A89B090
      SHA-256:C3C4818F3C8BF7FA0B95047BBA6353EB742610293EE08931CF3676885E85C251
      SHA-512:6AB7D32088A4E080A44ED34B46A96EFDF79EAF480DAFC460F0F98783E1633A2A037268735A9B59EC0E123B841A38EC58D2B87FB24F357B8E5537714E61DDD0C6
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..MSGSTR[1]=Pod..czenie#32.....MSGSTR[2]=B..d#32!..DialogCaptions[0]=Ostrze.enie..DialogCaptions[1]=B..d..DialogCaptions[2]=Informacja..DialogCaptions[3]=Potwierdzi...DialogCaptions[4]=..ButtonCaptions[0]=&Tak..ButtonCaptions[1]=&Nie..ButtonCaptions[2]=&Kontyn...ButtonCaptions[3]=&Odwo.a...ButtonCaptions[4]=&Przerwa...ButtonCaptions[5]=Pow&t.rzy...ButtonCaptions[6]=&Ignor...ButtonCaptions[7]=&Wszystkie..ButtonCaptions[8]=Wszystkim#32Nie..ButtonCaptions[9]=Wszystkim#32Tak..ButtonCaptions[10]=Po&moc....[SwitchFrm]..Caption=Prze..cz.#32kana..w..Label10.Caption=IP#32adres..Label11.Caption=Port..Label1.Caption=Zakres..Label2.Caption=Kana...SwitchBtn.Caption=Prze....TSCombo.Items[0]=Kablowe..TSCombo.Items[1]=Antena..

      C:\Plasma\Russianp.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):7133
      Entropy (8bit):6.059987175339898
      Encrypted:false
      SSDEEP:
      MD5:3CE6FC79ABF71199E374C43E6357C7CE
      SHA1:DBAA15260E6F9A6AB92FEF9863BE9CF4EADA5696
      SHA-256:6BD1483B23EB3B7446B1BABC3B0C7CEA3990072B23CB73326CA6CAD5C638ACF0
      SHA-512:D68F82181B060BCEEB17E36E75E51631BF14922CB9BEBC24BC3BCD75E581EBCDA6403BDD070E2DEF51CBB4579EF863B8EFAE4028FBA8D3A77570318A54D8A199
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..DTFMTSTR[1]=dd"/"mm"/"yyyy#32hh":"nn..DTFMTSTR[2]=dd.mm.yyyy#13hh:nn..DTFMTSTR[3]=dd"."mm"."yyyy#32#32#32#32#32hh":"nn":"ss..DTFMTSTR[4]=dd"/"mm"/"yyyy#32hh":"nn":"ss..DTFMTSTR[5]=dd"/"mm"/"yyyy..MSGSTR[1]=..#32.............#32.......#32.......#32......#32?..MSGSTR[2]=HTML#32..........MSGSTR[3]=...........#32PowerPoint ..MSGSTR[4]=..........MSGSTR[5]=.......MSGSTR[6]=........#32Flash..MSGSTR[7]=.............MSGSTR[8]=.............MSGSTR[9]=.....#32...........#32%d..MSGSTR[10]=.....#32........#32%d..MSGSTR[11]=#32#32#32#32#32..........#32...............MSGSTR[12]=Copyright#32...#32T.I.P.A.S.#322004..MSGSTR[13]=....#32%s#32..#32........MSGSTR[14]=............#32....#32......:#32%s..MSGSTR[15]=........#32........,#32.......#32.......#32...#32.........#32........MSGSTR[16]=....#32......#32....#32...........MSGSTR[17]=........#32....#32......#32....#32............MSGSTR[18]=.........MSGSTR[19]=........#32...........#32..........,#32..........#32.......MSGSTR[20]=....

      C:\Plasma\Russiansw.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:ISO-8859 text, with CRLF line terminators
      Category:dropped
      Size (bytes):733
      Entropy (8bit):5.563450964599332
      Encrypted:false
      SSDEEP:
      MD5:5C7CDF2091389247FCE1FF3A048F6E26
      SHA1:CE247D56F02805E15540A8378AD1208942CABED9
      SHA-256:9788C1FCA6ECEC810EB50C90CE425648870D604EC8F61F6E199B3321D1F85606
      SHA-512:BCCCBFDC5B1E7404F7342A35D159646709D29773E6F7201B63E8549E73E7BCBADE2B82BDA69D942A30A018E888022775A791ABFF0C3F522B1E6355C71C7AADCC
      Malicious:false
      Reputation:unknown
      Preview:[MiscellaneousStrings]..MSGSTR[1]=...........#32.....MSGSTR[2]=......#32!..DialogCaptions[0]=................DialogCaptions[1]=........DialogCaptions[2]=............DialogCaptions[3]=.............DialogCaptions[4]=..ButtonCaptions[0]=&....ButtonCaptions[1]=&.....ButtonCaptions[2]=&..........ButtonCaptions[3]=&........ButtonCaptions[4]=.&.........ButtonCaptions[5]=...&.....ButtonCaptions[6]=&........ButtonCaptions[7]=&.....ButtonCaptions[8]=...#32......ButtonCaptions[9]=..#32......ButtonCaptions[10]=..&........[SwitchFrm]..Caption=.......#32.........Label10.Caption=IP#32.......Label11.Caption=......Label1.Caption=..........Label2.Caption=.......SwitchBtn.Caption=.........TSCombo.Items[0]=...........TSCombo.Items[1]=.........

      C:\Plasma\Switcher.exe

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):349696
      Entropy (8bit):7.889860562202818
      Encrypted:false
      SSDEEP:
      MD5:1DBE55284443373424CDACDFE05743D6
      SHA1:86CE06DFB160EDE7637052B5A98218BBCF7C774F
      SHA-256:68581C13221CF66A403D205D73E1B8D0484826B1BA7C56E1B5788052FBB6205E
      SHA-512:BC39EDA19CA0309685F3315C2AA5B8D159F59E5E520FF09B95DB6A8B178ADD8B8B3EE35FC93DEF90806D944E41DBDE9BC2A082BA314EEFDF7BC72F2647977084
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 7%
      • Antivirus: Virustotal, Detection: 5%, Browse
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:unknown
      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................@... ...`.......p........@..............................................@..........................D...........D...........................................................................................................code.....`..............................text.....@...p...8..................@....rsrc.... ...........<..............@..............................................................................................................................................................................................................................................................................................................................................................................1.20........

      C:\Plasma\TVTuner.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):755
      Entropy (8bit):5.638874228476603
      Encrypted:false
      SSDEEP:
      MD5:8CF8283B22DEC5FBB208CE7956229BD7
      SHA1:AAEE9C841A5015505224CF176252C73427017DA1
      SHA-256:2DE3473101F2581EEB2954BA3370DF5680D11C165E4DD6C00EA42D8C9D149AB4
      SHA-512:51D4E3EAE346C05E8EE51CCC886A4C1A6F8A91DD264A0B60A709B13E223179B747BE8D052BD1128E1C8FCA183BD21183A009B70EC739EBAE7D3792AF59DC95AD
      Malicious:false
      Reputation:unknown
      Preview:<HTML>....<HEAD>..<TITLE>TV Tuner Template</TITLE>..<SCRIPT language=Javascript>.... ..var tscontainer, ts, tr;..var tsnr = <#TSNR>;..var chnr = <#CHNR>;....function window_onload(){.. tscontainer = new ActiveXObject('BDATuner.SystemTuningSpaces');.. if (tsnr == 1) {.. ts = tscontainer('Cable');.. } else {.. ts = tscontainer('Antenna');.. }.. tr = ts.CreateTuneRequest();.. tr.Channel = chnr;.. MSVidCtl.View(tr);.. MSVidCtl.Run();..}....//-->..</Script>....</HEAD>....<BODY BGCOLOR="#000001" TEXT="#FFFFFF" LINK="#FCCB7A" VLINK="#551A8B" ALINK="#EE0000" onLoad="window_onload()">....<CENTER>..<OBJECT ID="MSVidCtl" CLASSID="CLSID:B0EDF163-910A-11D2-B632-00C04F79498E" Width="100%" Height="100%"></OBJECT>..</CENTER>....</BODY>..</HTML>

      C:\Plasma\dvd_template.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):822
      Entropy (8bit):5.570684659130369
      Encrypted:false
      SSDEEP:
      MD5:28A877653797AD125534DFE741D63D01
      SHA1:952458208ABC20C587B2FDAB964A4790BE0529D3
      SHA-256:D8862B48DAA870A825DC051E58C4A643DFBEAF671F57CE70C3955C90024DEF4F
      SHA-512:9CD7C860D063471C2F25109624BBFF328AE41FCB8C8A0761C52207B69B322C5D2B146328A6C004D585880B4B6B87804951A7B2868E14F8B6EFCB1AEB0DB194F7
      Malicious:false
      Reputation:unknown
      Preview:<html>....<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>MOVIE</title>..</head>....<body bgcolor=#000000 scroll=no>....<p>..<object classid="clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8" id="MediaPlayer" WIDTH="<#SCREENWIDTH>" HEIGHT="<#SCREENHEIGHT>" style="position:absolute;left:0;top:0">.. <param name="Src" value="">.. <param name="AutoLoop" value="False">.. <param name="AutoPlay" value="False">.. <param name="ShowDisplay" value="False">.. <param name="Volume" value="100">..</object>..</p>....<script language="Javascript">.. ....MediaPlayer.playlistClear();..var options = [':audio-track=<#AUDIOTRACK>', ':sub-track=<#SUBTITLETRACK>'];..MediaPlayer.addTarget('<#MMFILENAME>@<#DVDTITLENR>', options, 2, 0);..MediaPlayer.play();....//-->..</script>....</body>....</html>..

      C:\Plasma\empty_template.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):572
      Entropy (8bit):5.163277985600022
      Encrypted:false
      SSDEEP:
      MD5:B2F07009CD2DE818857AA08A7E2C938F
      SHA1:F851986606807B559D4405FA172DE892F8BD63CB
      SHA-256:A1AF951605377D9ECCB3056B6491B0907A56669C55C339ABBEBFEF11AAF6E5FB
      SHA-512:E09CC04D86DB5B9931448B42684FE3172DCEBBBE479EF35E555E8FA161F73777C5DADFA7105B738A149B720AF3D131C454B0B6350AC6AA5E48A35A53B2F090C8
      Malicious:false
      Reputation:unknown
      Preview:<html>....<head>..<#EFFECT>..<meta http-equiv="Content-Language" content="lt">..<meta name="GENERATOR" content="Presentation">..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>Presentation</title>....<script language=JavaScript>.. ....function clickIE4(){.. if (event.button==2){.. return false;.. }..}....if (document.all&&!document.getElementById){.. document.onmousedown=clickIE4;..}....document.oncontextmenu=new Function("return false")....// --> ..</script>....</head>....<body scroll=no bgcolor=<#BGCOLOR>>..</body>....</html>..

      C:\Plasma\film_template.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):739
      Entropy (8bit):5.4110535983438695
      Encrypted:false
      SSDEEP:
      MD5:F00DA3892F8B9742D99EAC1C70158430
      SHA1:72BE1A8A42BA878BD1C16BD1A17C1A8CF448065E
      SHA-256:103E7E284CFAC2CF7AA291C29C91522F7D16379CA5C119C6B03BE5083402601A
      SHA-512:9670192174B1F55686A0949639BD24700E32029D70F2DDF9698AA3AB49F0411287AADB43D62D75CFB45B051BF06452BB1A49BE0A57EA2DABA90A2CF359AFA6B0
      Malicious:false
      Reputation:unknown
      Preview:<html>..<head>..<meta name="GENERATOR" content="Presentation">..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>Movie</title></head>..<body bgcolor=#000000 scroll=no>....<object classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6" id="Movie1" WIDTH="<#SCREENWIDTH>" HEIGHT="<#SCREENHEIGHT>" style="position:absolute;left:0;top:0">.. <PARAM NAME="URL" VALUE="<#MMFILENAME>">.. <PARAM NAME="SendPlayStateChangeEvents" VALUE="True">.. <PARAM NAME="AutoStart" VALUE="True">.. <PARAM name="uiMode" value="none">.. <PARAM name="PlayCount" value="9999">.. <PARAM name="stretchToFit" VALUE="True">.. <PARAM name="enableContextMenu" VALUE="False">.. <PARAM name="Volume" VALUE="100">..</object>..</body>..</html>

      C:\Plasma\film_template_VLC.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):571
      Entropy (8bit):5.398277713799248
      Encrypted:false
      SSDEEP:
      MD5:67D86D099C83137CBC23AC9C17535D73
      SHA1:F6915DD33D71B5E28A3BC764B98424F0CC6BD2E1
      SHA-256:D64B555B14182CD54AF01D955D3C68B7A453953EC78252C380E1E9B9A92B0579
      SHA-512:9B902CF3319BC955451EC7E4AFFA9E09E644BD6B8ABFD6FD69413A0F52A19E70A69C5BE6D8CA7F01A2806444E99DC7EEA2A3658F204CF34067A588188CEABD23
      Malicious:false
      Reputation:unknown
      Preview:<html>....<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>MOVIE</title>..</head>....<body bgcolor=#000000 scroll=no>....<p>..<object classid="clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8" id="MediaPlayer" WIDTH="<#SCREENWIDTH>" HEIGHT="<#SCREENHEIGHT>" style="position:absolute;left:0;top:0">.. <param name="Src" value="<#MMFILENAME>">.. <param name="AutoLoop" value="False">.. <param name="AutoPlay" value="True">.. <param name="ShowDisplay" value="False">.. <param name="Volume" value="100">..</object>..</p>....</body>....</html>

      C:\Plasma\flash_template.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):713
      Entropy (8bit):5.426060333101416
      Encrypted:false
      SSDEEP:
      MD5:6C06D40B6EC4FD517AC2E36965429007
      SHA1:56EA2FA79765F895AE5CC48091EA0498BB434A73
      SHA-256:859418D6AE870AE963703733B4A0B65EE4EBC2C1204213675F95CD4C5CB5C5BF
      SHA-512:D2506FDB39A5CA586BC1C72D5A7E1F243C194733E04F9ED265DA1ADAAE24F49CEBFB4280E1BB863C3DB0A2EE36732271E0C33C6D845786ABADC75345690879A8
      Malicious:false
      Reputation:unknown
      Preview:<html>..<head>..<meta name="GENERATOR" content="Presentation">..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>Flash</title></head>..<body bgcolor=#000000 scroll=no>....<table border=0 cellspacing="0" cellpadding="0" style="position:absolute;left:0;top:0;width:<#SCREENWIDTH>;height:<#SCREENHEIGHT>"><tr align=center valign=middle><td>..<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0" width="100%" height="100%">..<param name=movie value="<#MMFILENAME>">..<param name=quality value=high>..<param name=bgcolor value=#FFFFFF>..</object>..</td></tr></table>....</body>..</html>..

      C:\Plasma\img_template.htm

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):451
      Entropy (8bit):5.2186599537103096
      Encrypted:false
      SSDEEP:
      MD5:FE876A19B96F046C4CB009D677B288A8
      SHA1:D05A509569DC2D2D99905E81C4073448E491843F
      SHA-256:57AB2AE2C711A7FFABC6D01806EA21A228A00FB7629816FFBA0A69ECB97FE875
      SHA-512:EDF89E7E2B817DC65DBC0208E70DD9FF7A832523BA4DEC6D2B70B2B5BDFC0D27C177C347255B0413799DB4C9795C979D665DC15092AC764100EB1792129028D1
      Malicious:false
      Reputation:unknown
      Preview:<html>..<head>..<#EFFECT>..<meta name="GENERATOR" content="Presentation">..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>Image</title></head>..<body bgcolor=#000000 scroll=no>....<table border=0 cellspacing="0" cellpadding="0" style="position:absolute;left:0;top:0;width:<#SCREENWIDTH>;height:<#SCREENHEIGHT>"><tr align=center valign=middle><td>..<img src="<#MMFILENAME>" border=0>..</td></tr></table>..</body>..</html>..

      C:\Plasma\pbrowser.LIC

      Download File
      Process:C:\Plasma\pbrowser.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):35
      Entropy (8bit):4.185867302411998
      Encrypted:false
      SSDEEP:
      MD5:AD37BA1B24D45F617F2CEA42F6475140
      SHA1:7D18AE15779B4E7EC0422316A09B0C08B5A5962A
      SHA-256:9F005EDAF5E4EDA2C2C0E4F028219A12AFD30D7C13F163BC730B48FA7DC707FC
      SHA-512:E9E5906FAE179CE5255C817B31325C55289CD8A89F0E91565A96CE9879A7963E68E529032DD02BE6AACAE1C0E558E90A42820144E605E4E72FE664B6DC81CC4F
      Malicious:false
      Reputation:unknown
      Preview:[MiscData]..Challenge=..Response=..

      C:\Plasma\pbrowser.exe

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):551936
      Entropy (8bit):7.902328491086365
      Encrypted:false
      SSDEEP:
      MD5:0FFB6543E6E60C895920EFD6BB947630
      SHA1:6D4EBD4954023F1EA69D10C22030179E710BDEC5
      SHA-256:F86EA20D2063B492544C73A9FE6DE0A8271EE4C292125D9CA9642FD6F70A77C4
      SHA-512:1D715D1F05FB04FE6F3D474682D71955E37217055E3FB613E2D4050F6998386DECC399C7962A14DA1D2EBCB3CB61682D00C542A76C185EF06F2106D2B3DEB035
      Malicious:true
      Reputation:unknown
      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P... ......`........ ....@..........................@...................@...........................9....... ..............................................................................................................code....................................text.....P.......L..................@....rsrc.... ... .......P..............@..............................................................................................................................................................................................................................................................................................................................................................................1.20........

      C:\Plasma\pmanager.exe

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):647168
      Entropy (8bit):7.90042787345556
      Encrypted:false
      SSDEEP:
      MD5:577686D8E6EDA9E05504BDD0A2E12BE7
      SHA1:1B6297F85D5B1BE66763CF7C500722567E476BAD
      SHA-256:CCC528548CF832C745701474EDA4C355815A05484EF96EFF630751451D1CC43D
      SHA-512:771C40D8C4D51F7D0456C893C92329F715F8B46B8BEA04FDC323192CB5D0798376893B323623AB04BA1F4865891B825E8D29075838104A6BB94F283FEFE44B82
      Malicious:true
      Reputation:unknown
      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................0...................@..............................................@.........................................................................................`.......................................................code....................................text................................@....rsrc....0......."..................@..............................................................................................................................................................................................................................................................................................................................................................................1.20........

      C:\Plasma\pmarquee.exe

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):183808
      Entropy (8bit):7.890078496563441
      Encrypted:false
      SSDEEP:
      MD5:0E8CC8043E564DCD1C3E101969DAAC69
      SHA1:2382A93AC0E30CBB30199128AA51C7FE56D6AF43
      SHA-256:50264F34F96540084F166A97199E726B203C11476E908F4D74D0458445E8B611
      SHA-512:2C7862F97D8AE6481C3396FC2E0F11129D13742F7B1C1DEDA781FB5094D66744543F0509E599C10BBE6EA19D270250A73273C7D966C8890B4A1FEDA2B4FB6CAD
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:unknown
      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..........................................................................................0.......................................................code....................................text................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................1.20........

      C:\Plasma\uninst.exe

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Category:dropped
      Size (bytes):54755
      Entropy (8bit):6.648903312012475
      Encrypted:false
      SSDEEP:
      MD5:CACF354184D563CCBABAC0EE6BA7F396
      SHA1:A3FC140B51B5061FBBAE406C23EA860E4969A7D9
      SHA-256:B76549696E8D925594E0802B697ABA7E8C5CD15D3940A30CAA572F6629B6AE9A
      SHA-512:AB64548287002A0B6E9A94C92C9F7C23372068D3467CEDFB6EE0189AA8EB4B83DB1D47D93F133DC72B5837FAEEE6E508BAE4B5938AD5644C93BDE522BB3BCF05
      Malicious:true
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L.....G.................\...........0.......p....@..........................................................................t..........H@...........................................................................p...............................text...0[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc...H@.......B...x..............@..@........................................................................................................................................................................................................................................................................................................................................................

      C:\Plasma\unistr.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):584
      Entropy (8bit):4.26168795897989
      Encrypted:false
      SSDEEP:
      MD5:8B924E5590FCC395A818CF360783C666
      SHA1:F1B223FC951C84BDA48791C460AD9374E9F22BF5
      SHA-256:D39F1C40ABB042EDE08E307176EF905C749BA1FEA99C97FE091EE487D6DF6FA9
      SHA-512:E0857AEDBA90CBC74CAD959AF39E442444B3DA9F9D2087D92B0FD0FF5DB7F5AC40EFE9FE2A7D0355AB39048D4C24CD77438BCD91ABC7F45838BF20F39B468B7E
      Malicious:false
      Reputation:unknown
      Preview:..[.U.n.i.c.o.d.e.S.t.r.i.n.g.s.].....T.a.b.l.o.H.e.a.d.T.e.x.t.=...;.8.5.=.B. ..! . . . . ...5.A.B.>.....T.a.b.l.o.H.e.a.d.T.e.x.t.L.e.f.t.=...0.A.A.0.6.8.@. ..! . . . . ...0.3.>.=.....L.o.c.H.e.a.d.T.e.x.t.=. .0.A.?.>.;.>.6.5.=.8.5.....C.a.l.l.M.s.g.=.....'...........". . .%.0.:.s.|..............."...|... .!."......... . .%.1.:.s.....'.A.r.r.L.e.f.t.=... .....'.A.r.r.R.i.g.h.t.=.......A.r.r.M.i.n.u.s.=.-.-.....A.r.r.L.e.f.t.R.i.g.h.t.=.9 : ....A.r.r.L.e.f.t.=.9 9 ....A.r.r.R.i.g.h.t.=.: : ....A.r.r.D.o.w.n.=.'. ...'.....A.r.r.U.p.=.'. ...'.....A.r.r.U.p.D.o.w.n.=.'.....'.....

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pmanager.exe_8fbfe26353771c42d2099f513f03c31e2638e2_78c312fa_105b4730-6843-4b6e-ac83-c949d0250b84\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8308802266007018
      Encrypted:false
      SSDEEP:
      MD5:99D223C28A8EDEEB4E2664AEE795924B
      SHA1:D8CFBFD918D79D0D1B6E5778401CAB68E1859D7A
      SHA-256:20D38DC9288FD4892B4578561ED9E36E2299C2FEDEDE7B55AAA20E872909F7D3
      SHA-512:05BEF7F282A04ACC4FB8437F44A7FF576EA8C83D9639E851C42C536775FF7550FFC2BD5B36711B715BA46D24C06184ADE8A5758EA619EEF5DAB27263BFCA3808
      Malicious:false
      Reputation:unknown
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.1.2.6.2.6.8.8.0.2.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.6.1.2.6.3.0.2.1.0.2.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.5.b.4.7.3.0.-.6.8.4.3.-.4.b.6.e.-.a.c.8.3.-.c.9.4.9.d.0.2.5.0.b.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.e.6.c.0.b.4.-.3.1.e.4.-.4.d.1.0.-.8.6.b.9.-.1.e.5.2.a.4.d.a.3.2.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.m.a.n.a.g.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.f.8.-.0.0.0.1.-.0.0.1.6.-.2.9.5.6.-.f.4.1.c.a.c.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.a.b.8.c.5.a.8.8.8.0.e.6.e.2.5.1.1.b.e.a.d.b.3.a.4.3.8.7.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.6.2.9.7.f.8.5.d.5.b.1.b.e.6.6.7.6.3.c.f.7.c.5.0.0.7.2.2.5.6.7.e.4.7.6.b.a.d.!.p.m.a.n.a.g.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pmanager.exe_8fbfe26353771c42d2099f513f03c31e2638e2_78c312fa_15d6b9e6-acb0-424a-ac38-5fdc254995e6\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8242898852883839
      Encrypted:false
      SSDEEP:
      MD5:1102822F809142499913FAEE68B44095
      SHA1:387338419FC75E69BD6EA966D4EA9F2A28FD28AC
      SHA-256:4933469A8C47B0D9254CB72CE12DC0BD4C558BF111F3D1CD16168456C21E8AF8
      SHA-512:ED2AD2F01DFF073BBF8F755C3498669D97CCADDF69976F61D95E4A742FDB74278DF127069E1941342E77BAD62851D3EE008709B2C7E24781B6A5FF074203B724
      Malicious:false
      Reputation:unknown
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.1.3.0.5.5.5.6.8.8.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.6.1.3.0.5.7.9.3.8.8.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.d.6.b.9.e.6.-.a.c.b.0.-.4.2.4.a.-.a.c.3.8.-.5.f.d.c.2.5.4.9.9.5.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.5.3.3.6.d.0.-.c.9.a.1.-.4.4.b.e.-.8.f.0.b.-.d.d.d.a.5.f.0.7.4.f.3.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.m.a.n.a.g.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.4.c.-.0.0.0.1.-.0.0.1.6.-.7.9.e.d.-.8.f.3.6.a.c.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.a.b.8.c.5.a.8.8.8.0.e.6.e.2.5.1.1.b.e.a.d.b.3.a.4.3.8.7.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.6.2.9.7.f.8.5.d.5.b.1.b.e.6.6.7.6.3.c.f.7.c.5.0.0.7.2.2.5.6.7.e.4.7.6.b.a.d.!.p.m.a.n.a.g.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pmanager.exe_8fbfe26353771c42d2099f513f03c31e2638e2_78c312fa_c2afb5d5-c6fd-4afc-b662-586a033862a7\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8242457482071189
      Encrypted:false
      SSDEEP:
      MD5:FD0480ADE0B78837663EF73D9BFB5ADE
      SHA1:941594E346A42EE1C03C98AEEBC716AA36EB272B
      SHA-256:241E45FC14279062F8C504CC8D2DD830483574039FA23966A5E8DCEE446E9028
      SHA-512:56227D56A96A2BC8EDB933580E1CA0C395F476F832C06BE646F06E5E25065D08FFD3A64BC8BF36358B20202044090D6760032930544106F7F4AFC75C621B562C
      Malicious:false
      Reputation:unknown
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.6.1.2.6.9.4.4.9.9.7.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.6.1.2.6.9.7.3.6.9.7.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.a.f.b.5.d.5.-.c.6.f.d.-.4.a.f.c.-.b.6.6.2.-.5.8.6.a.0.3.3.8.6.2.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.6.4.b.4.7.d.-.b.9.e.0.-.4.e.9.0.-.9.2.3.f.-.f.8.0.b.3.3.6.e.0.5.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.m.a.n.a.g.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.4.-.0.0.0.1.-.0.0.1.6.-.b.7.a.4.-.0.d.2.1.a.c.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.a.b.8.c.5.a.8.8.8.0.e.6.e.2.5.1.1.b.e.a.d.b.3.a.4.3.8.7.3.6.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.6.2.9.7.f.8.5.d.5.b.1.b.e.6.6.7.6.3.c.f.7.c.5.0.0.7.2.2.5.6.7.e.4.7.6.b.a.d.!.p.m.a.n.a.g.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1350.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Sat Dec 21 13:27:49 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):51450
      Entropy (8bit):2.012621643788533
      Encrypted:false
      SSDEEP:
      MD5:B82D3368558420699FB6BC0135915241
      SHA1:AAE24DA4E1094C9F963525D0153BF7200C33A853
      SHA-256:F55736D8B8DBAF48E899215DC2E21BE3B13D721D9E734660E8A90A871C448CF4
      SHA-512:34AE916CA444A2D54F50176E6F70D5CACECB23EB179C89B8B3FD44D9D58DC7BF3C46ADE891E4897D883898071B94203DF99691AB430E21E3DF13020120560391
      Malicious:false
      Reputation:unknown
      Preview:MDMP..a..... .......U.fg........................................r,..........T.......8...........T.......................................l...............................................................................eJ..............GenuineIntel............T...........U.fg............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER13AF.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8306
      Entropy (8bit):3.6932881701567353
      Encrypted:false
      SSDEEP:
      MD5:A97E41A8C2737D4A79B8E6BF13765AFC
      SHA1:01C2A027FD32282B1D5A3D4CA2690A93DBA12003
      SHA-256:34417CC3C58E748855A45BEA183625AD14D6A54D69C5ECEC8B3298C3E1A9A739
      SHA-512:B4DD96C3244BE0BF0357B52F44ED0A8044A9147FD9BBC9578A7C8A6B8325CE0B1C60FF32E37700F848DD3D0D836FAC09F1C4412647048B69F235B8C833E0E991
      Malicious:false
      Reputation:unknown
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.7.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER13CF.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4585
      Entropy (8bit):4.45291914842677
      Encrypted:false
      SSDEEP:
      MD5:EE31E16D1203354331D6594E939EDEC2
      SHA1:B1EC47E5FA96339C3F336C68FF70E587CC0ED56A
      SHA-256:100A3C2FB9B4E4CC110B1423EF245E8805737C2DB506C71F32D070AC221EA1CB
      SHA-512:58408F78FED56406198A51F07E36B194910B69D4DFAED6CDBE310914156D04D86B4BB4F9B1756FAB28A0C9BEC4757CE8C749FA860E178B419275F45406CCDD74
      Malicious:false
      Reputation:unknown
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641070" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA06D.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Sat Dec 21 13:28:25 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):51362
      Entropy (8bit):2.003353822741746
      Encrypted:false
      SSDEEP:
      MD5:22041767487AC81618362A019FF581BF
      SHA1:F74E1D721C30317749BB6B151CBEC1BC3BECD945
      SHA-256:70E0BDBD908D2626A4FFA618E390CB55323DD2172ACAFBFDCCF3FFC2D98AD93A
      SHA-512:981DD71ADD3B4CB244C40E70838E4BE94EFF84F89B45055A3EE49A63E285CAAB41D5877AFEEF53165985BACB4B1900B3D12527D0BF2012306B2E270FD397FF37
      Malicious:false
      Reputation:unknown
      Preview:MDMP..a..... .......y.fg........................................r,..........T.......8...........T......................................l...............................................................................eJ..............GenuineIntel............T.......L...y.fg............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0AD.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8310
      Entropy (8bit):3.6926277561563774
      Encrypted:false
      SSDEEP:
      MD5:7B654EB0837462817FB123F7DCB296B8
      SHA1:667DB14EAC97B7250EC30D0DD9DCA750E71E257E
      SHA-256:80E36FECD1C5FD51F51C0605EB0AFE7776CF0D17631A2A9178C9D039D9A227F5
      SHA-512:AF8FF002D57D0764643860DD73CF44B3D696FF7E847D82FEC780B7467EA54DE6773C204BB391D43CB8F4E45ED62988560E57A360697A0AB41E93BB7745F34302
      Malicious:false
      Reputation:unknown
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.1.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0CD.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4585
      Entropy (8bit):4.452801253856559
      Encrypted:false
      SSDEEP:
      MD5:A878535ABFE887190C06B733FCC5ACD5
      SHA1:24630B3A0E7C3A637142A61FD69F6058F6E8753E
      SHA-256:D73334945A4CC54D0CDFECB70F54ED13C20D836C2A01315CED622211D4593A0A
      SHA-512:5A696E1EB5441D88A3ACBFAC42841F3111D694B2019B63B54BCFDB844789A37CF265071802CA8AA6EBA6AA91816EF345FAB70050607C1B65747135172E3A37AD
      Malicious:false
      Reputation:unknown
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641071" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF902.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Sat Dec 21 13:27:42 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):51778
      Entropy (8bit):2.005155544649473
      Encrypted:false
      SSDEEP:
      MD5:AE9F837013F7ED9DB7EA7FC73BE73641
      SHA1:C025E48AF179C5A5C3A4D65DC1502A658E531AE6
      SHA-256:4203840D01D1888665A5CADC3E0461D83A3EA477CECD8990ABC97BCF76A67167
      SHA-512:D4C4D52EE261BEF9C131531A45C7E91051996467913EEB1F6E0D253BD74C735CDFE51E23444E10411C9E1FF4CF0D1E09E19C8BC9B0D725F8CE0DEC66DFF81940
      Malicious:false
      Reputation:unknown
      Preview:MDMP..a..... .......N.fg.........................................,..........T.......8...........T...............j.......................................................................................................eJ......p.......GenuineIntel............T...........N.fg............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF990.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8306
      Entropy (8bit):3.693619131953418
      Encrypted:false
      SSDEEP:
      MD5:B4DF0D3903C731E85799AE1B02DB2C97
      SHA1:732E120199CC853DF41BDDE35D6C805370E427D9
      SHA-256:88482A7CD7D2B1AE3F152318D236DDB0236C90C216E57723E4F4009895731E2C
      SHA-512:849E0F65E80CF27933B6072E6E53782EFB859880C8061F50005CE3F635B44B95449D8A958795A34EB4456A4D645DCA0BDA7A0AA1E9FE03C4BAF2BD57328ECB62
      Malicious:false
      Reputation:unknown
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.5.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9B0.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4585
      Entropy (8bit):4.4512488322320625
      Encrypted:false
      SSDEEP:
      MD5:42E7F51A07270A890632B980B82D9B29
      SHA1:BE58D8BCE13D96769E860D9D0933908309111035
      SHA-256:7B7A8914CC98717A27B2E2831656A43BADF217A4DB17F3F19E1C31D09A783B77
      SHA-512:109555E62344B4D3960DCAD5B9BC725C494C5E71F1BE8C5AF7A669A5AD6319E502F12C8C56FF875AFB533F6D7503A8825C9187436539D9CF756BD148369CBDD1
      Malicious:false
      Reputation:unknown
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="641070" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\InstallOptions.dll

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):14336
      Entropy (8bit):5.670858881405612
      Encrypted:false
      SSDEEP:
      MD5:F62D03FCB1473110E920A9BB2C701006
      SHA1:C48444EF2DAA60DCDF91F1645CD4ECD8E66545F7
      SHA-256:17E2F205AF12D5A86638DC83C95FC69199C41AF2FA6DAEB1E91EC330F68C5372
      SHA-512:701D531D405D08054D53298141D5BBD56E74DF7B22BCEA5F9F0E5C4407421EA0CA9617AA84E740DC1DC44E6D14E58852C1CA2087213CC2319F2DA44EAED0BC05
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$K.y`*.*`*.*`*.*`*.*(*.*.".*m*.*4..*a*.*.,.*a*.*...*a*.*Rich`*.*........................PE..L.....G...........!.........:......+*.......0.......................................................................8..p...81.......p..........................8....................................................0..8............................text............................... ..`.rdata.......0....... ..............@..@.data...!(...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\LangDLL.dll

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):5120
      Entropy (8bit):4.0496414745318905
      Encrypted:false
      SSDEEP:
      MD5:C9AC0758CE8C10793D39655064C653CB
      SHA1:8BA1F9DFCC671B5102F5940DA67570C28252BC71
      SHA-256:161D69C50E5C50D853FDA129B6F6F6BC241214B87D13A33BF93543E7E6886119
      SHA-512:54A8C2DED9A42DE867C8A89A11701BCDB5D51AEA168C4F3FFE8991859CF26F15D478B6111C85732C1059EDBFD9408E42CA830706347A8AC87C5064E47D823349
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j&...H...H...H...I...H.v.....H..(x...H.2.N...H..+L...H.Rich..H.........................PE..L.....G...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\ioSpecial.ini

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:Generic INItialization configuration [Field 1]
      Category:modified
      Size (bytes):549
      Entropy (8bit):5.365896363256505
      Encrypted:false
      SSDEEP:
      MD5:6BC3A03A4D2B934F8DF9B89AAD1F297D
      SHA1:2E907F8AB59FCC91D556D455C3F0DD88B1F64FA1
      SHA-256:BA10F15EE6D2C6939ABAD00D029EDCD8C75E0A409B70F518190F51974300873A
      SHA-512:F48D25EC9DCDD2B0D555901F2BAA52C535557A8B88B2D285D3B4C41B4E62311E08BF37A42EB623BC31EAA210B2BD6E477912E19D12AB0169AA20DE39C49907EE
      Malicious:false
      Reputation:unknown
      Preview:[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=&Finish..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\modern-wizard.bmp..HWND=262884..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Completing the Plasma 1.1 Setup Wizard..Bottom=38..HWND=262892..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=Plasma 1.1 has been installed on your computer.\r\n\r\nClick Finish to close this wizard...HWND=262900..

      C:\Users\user\AppData\Local\Temp\nsc7F3F.tmp\modern-wizard.bmp

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
      Category:dropped
      Size (bytes):26494
      Entropy (8bit):1.9568109962493656
      Encrypted:false
      SSDEEP:
      MD5:CBE40FD2B1EC96DAEDC65DA172D90022
      SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
      SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
      SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
      Malicious:false
      Reputation:unknown
      Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Browser.lnk

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:08 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:08 2010, length=551936, window=hide
      Category:dropped
      Size (bytes):663
      Entropy (8bit):4.4364559222111595
      Encrypted:false
      SSDEEP:
      MD5:A5AE8B2C607D146CEA1EE680C3A5C25A
      SHA1:B35A89F700065B3B79F0849EBB67290E81A41F39
      SHA-256:6E92E41AE1FC60B5C152CF50C92BE2029C1DFAC9696477D169BD5C8CB388D5F5
      SHA-512:6A9A60118406222D3445B343CEACEC4FB568B442C45740912CBC891E321A10D9A37155120A806BF9DBE7ECCD730CAEB06948C4193DACF60547B712058B763B26
      Malicious:false
      Reputation:unknown
      Preview:L..................F.... ....p.Z_........S...p.Z_....l...........................P.O. .:i.....+00.../C:\...................T.1......Ypk..Plasma..>......Ypk.Ypk...........................\.P.l.a.s.m.a.....f.2..l..s<Dc .pbrowser.exe..J......s<Dc.Ypk.............................p.b.r.o.w.s.e.r...e.x.e.......E...............-.......D..............f.....C:\Plasma\pbrowser.exe........\.....\.....\.....\.....\.....\.....\.....\.....\.P.l.a.s.m.a.\.p.b.r.o.w.s.e.r...e.x.e...C.:.\.P.l.a.s.m.a.`.......X.......841618...........hT..CrF.f4... ..............%..hT..CrF.f4... ..............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Manager.lnk

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:28 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:28 2010, length=647168, window=hide
      Category:dropped
      Size (bytes):663
      Entropy (8bit):4.426419516646913
      Encrypted:false
      SSDEEP:
      MD5:FAABD6D432BA62D5F219BA0BF9FB3FD5
      SHA1:6AAEF0BF92AC54DC17D2C307607D8EA6B3AB562A
      SHA-256:F079DFEF4847C5D25228C4A840CEAF8E6C587D70A563127F8AB170AB051D73D6
      SHA-512:6D951BB843507AFFA0349A8C1F2D483998D335D836C9B474CD44A6CCCB8665BFFD2AD30C8F3FDEE7F83457F8DBBDC61C931301295BF96B8F6A918158ECD5D3E6
      Malicious:false
      Reputation:unknown
      Preview:L..................F.... ....2.e_....5x..S...2.e_................................P.O. .:i.....+00.../C:\...................T.1......Ypk..Plasma..>......Ypk.Ypk...........................].P.l.a.s.m.a.....f.2.....s<Nc .pmanager.exe..J......s<Nc.Ypk.............................p.m.a.n.a.g.e.r...e.x.e.......E...............-.......D..............f.....C:\Plasma\pmanager.exe........\.....\.....\.....\.....\.....\.....\.....\.....\.P.l.a.s.m.a.\.p.m.a.n.a.g.e.r...e.x.e...C.:.\.P.l.a.s.m.a.`.......X.......841618...........hT..CrF.f4... .O.............%..hT..CrF.f4... .O.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Uninstall.lnk

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
      Category:dropped
      Size (bytes):419
      Entropy (8bit):2.5416169744431287
      Encrypted:false
      SSDEEP:
      MD5:85F75995C1668699EFCA3689B18AAAAF
      SHA1:BCF7A25E72C69FD4959A9A426891F3243BB5565D
      SHA-256:C661ABFD6D4E5D360A591BD975980A400E3495CBFDF5DEAD8BC88C4C5520E172
      SHA-512:D60ACADED755BD3471018D744613B2165AD74200906473E0FEF23A886B49C6A21C3E936B6D05D081FA3F9424C0C64100B55DC36E2642B48D61BDD08DC4D81D2D
      Malicious:false
      Reputation:unknown
      Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................T.1...........Plasma..>............................................P.l.a.s.m.a.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......,.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.l.a.s.m.a.\.u.n.i.n.s.t...e.x.e...C.:.\.P.l.a.s.m.a.....

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Plasma\Website.lnk

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Dec 21 12:27:31 2024, mtime=Sat Dec 21 12:27:31 2024, atime=Sat Dec 21 12:27:31 2024, length=46, window=hide
      Category:dropped
      Size (bytes):651
      Entropy (8bit):4.397982843954605
      Encrypted:false
      SSDEEP:
      MD5:D22C9812CB97245A0E8A6B6FED0138C1
      SHA1:A95D84119D0016D7F8D4EEC824CB2C66CE2437A0
      SHA-256:6461B752A9DDACFE71E25E00AFE5F915A00613CF90AF8CCB216FFB97A05D40CE
      SHA-512:92536FD3639729AD9AF8AF00C44C44694F39C2D6ABA6517D759380FE1A16F4C123FECE29BB40F45009DE9AB862F10E3D0A2231D3D73C5B1EA69FECEEEBDA1316
      Malicious:false
      Reputation:unknown
      Preview:L..................F.... ...k....S..l...S..l...S...............................P.O. .:i.....+00.../C:\...................T.1......Ypk..Plasma..>......Ypk.Ypk...........................5.P.l.a.s.m.a.....`.2......Ypk .Plasma.url..F......Ypk.Ypk............................$.P.l.a.s.m.a...u.r.l.......C...............-.......B..............f.....C:\Plasma\Plasma.url..,.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.l.a.s.m.a.\.P.l.a.s.m.a...u.r.l...C.:.\.P.l.a.s.m.a.`.......X.......841618...........hT..CrF.f4... .Z.............%..hT..CrF.f4... .Z.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

      C:\Users\user\Desktop\Browser.lnk

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:08 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:08 2010, length=551936, window=hide
      Category:dropped
      Size (bytes):627
      Entropy (8bit):4.518430890238079
      Encrypted:false
      SSDEEP:
      MD5:B56FB70EB43918AC88B8BF849DADF845
      SHA1:F37224A2F49190CEEF600B6388FB11BAD3C2BF7C
      SHA-256:C390A791A6DC1371C86758E3D1998EA1C834C9475A70D8C1DE72777EC68EEDE2
      SHA-512:7684033183CC6B76290BC2C323BE55E628D62D0CDDC30A62110BCCFDE027185894C507D2750914E14332427C944E03C777EBA84C0197686E3991DE5DF73CE297
      Malicious:false
      Reputation:unknown
      Preview:L..................F.... ....p.Z_...l...S...p.Z_....l...........................P.O. .:i.....+00.../C:\...................T.1......Ypk..Plasma..>......Ypk.Ypk..........................rN.P.l.a.s.m.a.....f.2..l..s<Dc .pbrowser.exe..J......s<Dc.Ypk.............................p.b.r.o.w.s.e.r...e.x.e.......E...............-.......D..............f.....C:\Plasma\pbrowser.exe........\.....\.....\.P.l.a.s.m.a.\.p.b.r.o.w.s.e.r...e.x.e...C.:.\.P.l.a.s.m.a.`.......X.......841618...........hT..CrF.f4... ..............%..hT..CrF.f4... ..............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

      C:\Users\user\Desktop\Manager.lnk

      Download File
      Process:C:\Users\user\Desktop\PlasmaSetup@LR_2.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Mar 19 11:26:28 2010, mtime=Sat Dec 21 12:27:31 2024, atime=Fri Mar 19 11:26:28 2010, length=647168, window=hide
      Category:dropped
      Size (bytes):627
      Entropy (8bit):4.497258580865349
      Encrypted:false
      SSDEEP:
      MD5:93D864E617A5A6AB19987AA9572DBE61
      SHA1:C1CBE5C8A9BCDC10A8053925BDFF7DD71D03706B
      SHA-256:4CFAAC108F078528D2F67C141BC233244D0C81AF639490BD9D8C68EB284FA316
      SHA-512:E4D556E0E1F3A049D1DB69C1BAA1E7A7E36D021948FF1E112384E55FCC369994D4673F099A4ECA07595DB88852D20495334DCB7C4C66938261C4F375F5498063
      Malicious:false
      Reputation:unknown
      Preview:L..................F.... ....2.e_...[%...S...2.e_................................P.O. .:i.....+00.../C:\...................T.1......Ypk..Plasma..>......Ypk.Ypk...........................\.P.l.a.s.m.a.....f.2.....s<Nc .pmanager.exe..J......s<Nc.Ypk.............................p.m.a.n.a.g.e.r...e.x.e.......E...............-.......D..............f.....C:\Plasma\pmanager.exe........\.....\.....\.P.l.a.s.m.a.\.p.m.a.n.a.g.e.r...e.x.e...C.:.\.P.l.a.s.m.a.`.......X.......841618...........hT..CrF.f4... .O.............%..hT..CrF.f4... .O.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Entropy (8bit):7.993629636667633
      TrID:
      • Win32 Executable (generic) a (10002005/4) 92.16%
      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:PlasmaSetup@LR_2.exe
      File size:2'046'487 bytes
      MD5:3443898e0b0bd2a27c1bcebfe41b702e
      SHA1:3d83edc844cb4c011e9a5a554fe99a6f128e21ca
      SHA256:de4c90695da23b3ed3a399bf5cdc2e5f85f3c074180480b19fb54dcb0ece007f
      SHA512:3dbcf335693fef0c5694f93b6286be3b2908946ac92a86488e7990ae823f5ca11255202951c40db50d1f2f6d246db5f3b6affba154f7e3b4e7fd3b8a811f6f6b
      SSDEEP:49152:FSLjk6oZMTsCv8hv2Xduz2B5x+KdndUdo:ajlogsrhv2G2Bimnl
      TLSH:C895339AF0EECCA2C195C07C2BB0AE753FBB91952220CD56BD50C67BC1651EF8631E58
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......G.................\...........0.....

      File Icon

      Icon Hash:0771ccf8d84d2907

      Static PE Info

      General

      Entrypoint:0x4030ed
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x47ACC8B7 [Fri Feb 8 21:25:11 2008 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:7fa974366048f9c551ef45714595665e

      Entrypoint Preview

      Instruction
      sub esp, 00000180h
      push ebx
      push ebp
      push esi
      xor ebx, ebx
      push edi
      mov dword ptr [esp+18h], ebx
      mov dword ptr [esp+10h], 00409158h
      xor esi, esi
      mov byte ptr [esp+14h], 00000020h
      call dword ptr [00407030h]
      push 00008001h
      call dword ptr [004070B0h]
      push ebx
      call dword ptr [0040727Ch]
      push 00000008h
      mov dword ptr [0042EC18h], eax
      call 00007FA814B6BA16h
      mov dword ptr [0042EB64h], eax
      push ebx
      lea eax, dword ptr [esp+34h]
      push 00000160h
      push eax
      push ebx
      push 00428F90h
      call dword ptr [00407158h]
      push 0040914Ch
      push 0042E360h
      call 00007FA814B6B6CDh
      call dword ptr [004070ACh]
      mov edi, 00434000h
      push eax
      push edi
      call 00007FA814B6B6BBh
      push ebx
      call dword ptr [0040710Ch]
      cmp byte ptr [00434000h], 00000022h
      mov dword ptr [0042EB60h], eax
      mov eax, edi
      jne 00007FA814B68F3Ch
      mov byte ptr [esp+14h], 00000022h
      mov eax, 00434001h
      push dword ptr [esp+14h]
      push eax
      call 00007FA814B6B1AEh
      push eax
      call dword ptr [0040721Ch]
      mov dword ptr [esp+1Ch], eax
      jmp 00007FA814B68F95h
      cmp cl, 00000020h
      jne 00007FA814B68F38h
      inc eax
      cmp byte ptr [eax], 00000020h
      je 00007FA814B68F2Ch
      cmp byte ptr [eax], 00000022h
      mov byte ptr [eax+eax+00h], 00000000h

      Rich Headers

      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x4048.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x5b300x5c00c09c7c2846d45de61bda7a8f459949b0False0.6754840353260869data6.479127963844318IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x70000x129c0x1400165e3e874dc59c8a96748c6f4d0f4207False0.4337890625data5.049042548670051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x90000x25c580x400604372cf99db98d6c5f18501018b4413False0.5791015625data4.7679245398499575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x2f0000x90000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x380000x40480x4200b16610257f22e96f6f473f1a934321e4False0.6151751893939394data5.827979327446954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x382e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7213883677298312
      RT_ICON0x393880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colorsEnglishUnited States0.6751066098081023
      RT_ICON0x3a2300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States0.7851985559566786
      RT_ICON0x3aad80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.6560693641618497
      RT_ICON0x3b0400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8031914893617021
      RT_ICON0x3b4a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3118279569892473
      RT_ICON0x3b7900x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.36824324324324326
      RT_DIALOG0x3b8b80x120dataEnglishUnited States0.5138888888888888
      RT_DIALOG0x3b9d80x202dataEnglishUnited States0.4085603112840467
      RT_DIALOG0x3bbe00xf8dataEnglishUnited States0.6290322580645161
      RT_DIALOG0x3bcd80xeedataEnglishUnited States0.6302521008403361
      RT_GROUP_ICON0x3bdc80x68dataEnglishUnited States0.7115384615384616
      RT_MANIFEST0x3be300x215XML 1.0 document, ASCII text, with very long lines (533), with no line terminatorsEnglishUnited States0.575984990619137

      Imports

      DLLImport
      KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
      USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States